FortiGate is answering to non-existent IP addresses when scanning well known ports
Description
When scanning some IP addresses you may receive a response even if the IP address does not exist.
Scope
This can happen if traffic flows match a firewall policy which has proxy-based UTM profiles enabled.
In this case, when the FortiGate receives packets on inspected ports, FortiGate will attempt to establish the TCP connection with the client first before attempting to connect to the destination IP address.
Solution
If you want to change this behavior, you can use one of the following options:
When scanning some IP addresses you may receive a response even if the IP address does not exist.
Scope
This can happen if traffic flows match a firewall policy which has proxy-based UTM profiles enabled.
In this case, when the FortiGate receives packets on inspected ports, FortiGate will attempt to establish the TCP connection with the client first before attempting to connect to the destination IP address.
Solution
If you want to change this behavior, you can use one of the following options:
- Refine the policy so that it only has proxy-AV enabled for specific IP addresses.
- Use 'inspect-all' rather than a specific port in the profile-protocol-options so that no proxying will be done until a successful connection is established with the destination.
- If using FortiOS 5.2, use flow-based UTM profiles.