Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
yaronbeny7
New Contributor

Help to read Logs ( Fortigte 80c)

 

hello,

please see my screenshot

on the file "help" i went to Fortiview>Destinations

and i so this.this is ok ?

i do not know the source.if its danger how to block ? 

i feel that my network is very slow.

 

Second i go to fortiview>Source

i saw my web server.this is ok ?

 

 

 

 

 

 

3 REPLIES 3
JohnAgora
Contributor

You can see the details on the traffic (there's a button, I think on the bottom).

If you don't want the traffic you can block it with a Firewall Policy (or use the IPS, maybe it'll catch it)

yaronbeny7

i did not find the button and you did not say if it dangers.

 

ede_pfau
Esteemed Contributor III

(Your screenshot is hard to view.)

 

OK, there are about 20.000 sessions via tcp/53.

Port 53 is usually used for DNS but that is most probably not the case with you. DNS requests are done in UDP/53, TCP/53 is only used for DNS zone transfers. I doubt that this high number of zone transfers is legitimate traffic. It looks more likely to be traffic tunneled over DNS.

 

Judge on the destination address as well - is this an ISP or a single dial-up host?

I would recommend blocking this from the thin information you gave us.


Ede

"Kernel panic: Aiee, killing interrupt handler!"