Please help me identify that flows

Forum|Forum|6 years ago
February 4, 2020
1 reply
16760 views

I spent some times on fortianalyzer NOC view. Then i noticed some internal users have a lot of blocked udp outgoing connections. So far nothing looks suspicious on workstations. Whatsoever, i'd really like to understand what is going on.

So if you have any ideas.

ty

Sample

Annotation 2020-02-04 174617.png

Best answer by andrewbailey

Hi diardnic, What are the clients may I ask? I traced a similar issue a year or two back to Windows 10 machines. There is a setting that allows windows 10 to pull updates via other Windows 10 machines (even outside your network). Originally the behaviour was to allow peering to any other Windows 10 machine and the results look a bit like what you are seeing. Lots of connections to random consumer IP addresses. I think The behaviour has now been changed and by default it now only uses machines on the local subnet. But it is still a setting that can be changed. Even by end users if not locked down. Let me know if that sounds plausible and I’ll try and find a screenshot or link for you. Kind Regards, Andy.