Hello,
i have a FortiMail VM behind a FortiGateVM in a lab environment. all the DNS Request that goes through the Fortigate generates always the Same IPS Alert "DNS.Invalid.OPcode" its UDP: 53
it´s realy annoying cause i get all my logs full of this IPS Alerts.
Do you have any idea why that happens and hove to avoid that?
Thank you.
I think you should whitelist it. Here's why the; ip ratings lookups that the fortigate does over UDP53 are NOT really DNS formatted packets. So any standard IPS will break or worst block ( if enabled ) on these packets. Read this and how a cisco ASA inspect deemed the fortimail queries are not DNS formatted & a method I built to get around this.
http://socpuppet.blogspot.com/2013/12/a-cisco-asa-breaking-fortimail-why.html
[link=http://socpuppet.blogspot.com/2014/01/followup-to-cisco-asa-breaking.html] http://socpuppet.blogspot...isco-asa-breaking.html[/link]
It's a bummer that fortinet choose to use a well-known port and I bet other application awared firewalls or IPS will also generate alerts or cause problems. So just whitelist/exemption the source_ip_addresss that the fortimail uses.
NOTE: If you do a pcap of the dns traffic from the fortimail, you will find other tools failures to decode these datagrams also
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
