Troubleshooting Tip: Block outbound connections to...

FortiSIEM

FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)

Article Id 375849

Description

The article describes how to block outbound connections to IP 169.254.169.254 over port 80 on the FortiSIEM collector.

Scope

v7.2.X and later on-premise FortiSIEM collector.

Solution

Since collector HA was introduced in v7.2.0, the collector tries to connect the IP 169.254.169.254 over port 80.

The IP address 169.254.169.254 is a link-local IP address, often used for services like AWS metadata or Azure Metadata

Hence, this connectivity is required only for collectors in a Cloud environment for collector HA to work properly.

As this connectivity is not needed in on-premise collectors, run the following commands on the collector to block the connection requests using the operating system firewall:

# iptables -A OUTPUT -d 169.254.169.254 -p tcp --dport 80 -j REJECT

# iptables-save > /etc/sysconfig/iptables.custom

# echo -e '#!/bin/bash\n/usr/sbin/iptables-restore < /etc/sysconfig/iptables.custom' > /etc/profile.d/iptables-restore.sh

388

Contributors

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Troubleshooting Tip: Block outbound connections to IP 169.254.169.254 over port 80 from FortiSIEM collector on-premises v7.2.x and later

You are leaving our website