Fortinet Document Library

Version:


Table of Contents

New Features

7.0.0
Download PDF
Copy Link

Application signature dissector for DNP3

The DNP3 application signature dissector supports detecting DNP3 traffic that is encapsulated by the RealPort protocol (Net.CX). DNP3 is used in industrial solutions over serial ports, USB ports, printers, and so on. RealPort encapsulation allows transportation of the underlying protocols over TCP/IP. The FortiGate industrial signatures must be enabled to use RealPort.DNP3 signatures:

config ips global
    set exclude-signatures none
end

IPS engine version 7.0015 and later support RealPort.DNP3 dissectors.

Sample logs
119: date=2021-03-09 time=18:56:35 eventtime=1615344995698958507 tz="-0800" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="vd1" appid=49890 srcip=10.1.100.191 dstip=172.16.200.159 srcport=43946 dstport=771 srcintf="port10" srcintfrole="undefined" dstintf="port9" dstintfrole="undefined" proto=6 service="RLDNP3" direction="incoming" policyid=1 sessionid=1204 applist="test" action="pass" appcat="Industrial" app="RealPort.DNP3" incidentserialno=88083610 msg="Industrial: RealPort.DNP3," apprisk="elevated"
1: date=2021-03-09 time=18:56:08 eventtime=1615344968811546102 tz="-0800" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="vd1" appid=49899 srcip=10.1.100.191 dstip=172.16.200.159 srcport=43946 dstport=771 srcintf="port10" srcintfrole="undefined" dstintf="port9" dstintfrole="undefined" proto=6 service="RLDNP3" direction="outgoing" policyid=1 sessionid=1204 applist="test" action="pass" appcat="Industrial" app="RealPort.DNP3_Confirm" incidentserialno=88083404 msg="Industrial: RealPort.DNP3_Confirm," clouduser="34 -> 34" filename="Null" apprisk="elevated" cloudaction="others"

Application signature dissector for DNP3

The DNP3 application signature dissector supports detecting DNP3 traffic that is encapsulated by the RealPort protocol (Net.CX). DNP3 is used in industrial solutions over serial ports, USB ports, printers, and so on. RealPort encapsulation allows transportation of the underlying protocols over TCP/IP. The FortiGate industrial signatures must be enabled to use RealPort.DNP3 signatures:

config ips global
    set exclude-signatures none
end

IPS engine version 7.0015 and later support RealPort.DNP3 dissectors.

Sample logs
119: date=2021-03-09 time=18:56:35 eventtime=1615344995698958507 tz="-0800" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="vd1" appid=49890 srcip=10.1.100.191 dstip=172.16.200.159 srcport=43946 dstport=771 srcintf="port10" srcintfrole="undefined" dstintf="port9" dstintfrole="undefined" proto=6 service="RLDNP3" direction="incoming" policyid=1 sessionid=1204 applist="test" action="pass" appcat="Industrial" app="RealPort.DNP3" incidentserialno=88083610 msg="Industrial: RealPort.DNP3," apprisk="elevated"
1: date=2021-03-09 time=18:56:08 eventtime=1615344968811546102 tz="-0800" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="vd1" appid=49899 srcip=10.1.100.191 dstip=172.16.200.159 srcport=43946 dstport=771 srcintf="port10" srcintfrole="undefined" dstintf="port9" dstintfrole="undefined" proto=6 service="RLDNP3" direction="outgoing" policyid=1 sessionid=1204 applist="test" action="pass" appcat="Industrial" app="RealPort.DNP3_Confirm" incidentserialno=88083404 msg="Industrial: RealPort.DNP3_Confirm," clouduser="34 -> 34" filename="Null" apprisk="elevated" cloudaction="others"