strange DNS traffic

Forum|Forum|10 years ago
November 4, 2015
1 reply
18061 views

Hello all,

We have noticed non-DNS traffic on port 53 from the Fortigate to the Internet (because we have another firewall between the Fortigate and the Internet ;) )

1.2.3.4 1798 208.91.112.196 53 udp flow from InternetTransit:1.2.3.4/1798 to Internet:208.91.112.196/53 terminated by inspection engine, reason - inspector disconnected, dropped packet.

Wireshark shows this:

What is that??

Clipboard01.jpg

Sylvia

Explorer

Most probably this is the Fortiguard Communication for Webfilter and Antispam to the Fortiguard Server.

Check in the WebUI: System > Fortiguard, go to the bottom and open "Webfilter and Antispam".

Here you can configure if the Fortigate should use port 53 or port 8888 for the communication.

Regards,

Sylvia

jmluxAuthor

New Member

Sylvia wrote:
Most probably this is the Fortiguard Communication for Webfilter and Antispam to the Fortiguard Server.
Check in the WebUI: System > Fortiguard, go to the bottom and open "Webfilter and Antispam".
Here you can configure if the Fortigate should use port 53 or port 8888 for the communication.

But we have that disabled anyway.

Clipboard01.jpg

Ian_Harrison

New Member

Hi

Looks like you have disabled the push updates from Fortiguard to your device, however scheduled update requests from your device to Fortiguard are still enabled on port 53. As mentioned you can change this to port 8888.

Also the IP address 208.91.112.196 is in the range owned by Fortinet so probably one of their Fortiguard servers.

Hope that helps

Ian

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded