Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
diardnic
New Contributor

Created on ‎02-04-2020 08:49 AM

Please help me identify that flows

I spent some times on fortianalyzer NOC view. Then i noticed some internal users have a lot of blocked udp outgoing connections. So far nothing looks suspicious on workstations. Whatsoever, i'd really like to understand what is going on.

So if you have any ideas.

ty

 

Sample

Preview file
85 KB
7928
0 Kudos
2 Solutions
andrewbailey
Contributor II
In response to ede_pfau

Created on ‎02-05-2020 01:16 AM

Hi diardnic, What are the clients may I ask? I traced a similar issue a year or two back to Windows 10 machines. There is a setting that allows windows 10 to pull updates via other Windows 10 machines (even outside your network). Originally the behaviour was to allow peering to any other Windows 10 machine and the results look a bit like what you are seeing. Lots of connections to random consumer IP addresses. I think The behaviour has now been changed and by default it now only uses machines on the local subnet. But it is still a setting that can be changed. Even by end users if not locked down. Let me know if that sounds plausible and I’ll try and find a screenshot or link for you. Kind Regards, Andy.

View solution in original post

6346
0 Kudos
ShawnZA
Contributor II
In response to andrewbailey

Created on ‎02-05-2020 01:50 AM

Disable the Windows setting under Delivery Optimization as per the attached screenshot

 

As soon as the PC is locked Windows will start doing updates (Also a setting that can be changed)

 

View solution in original post

Preview file
86 KB
6346
0 Kudos
13 REPLIES 13
Yurisk
SuperUser
SuperUser
In response to ShawnZA

Created on ‎02-06-2020 08:22 AM

I'd suggest to track the connection(s) at the source - end PC, take for example TCPView from Sysinternals by Mark Russinovich (download from the Microsoft site) and it will show in real time process for each connection.

E.g:

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Preview file
43 KB
1990
0 Kudos
diardnic
New Contributor
In response to Yurisk

Created on ‎02-06-2020 09:05 AM

Yes Yuri, ty. But know that we have our hands on that laptop, no udp connection occurs, (at least not for now).

Shawn gave a good explanation. I believe he is right. I'm just trying to reproduce what i saw. 

1990
0 Kudos
ShawnZA
Contributor II
In response to ShawnZA

Created on ‎02-06-2020 10:06 PM

Asked our server guys to remove the the GPO policies from my PC, then switched the MS updates on to also download from pc's on the internet... plenty of UDP connections in the logs...

 

 

Preview file
178 KB
1990
0 Kudos
diardnic
New Contributor
In response to ShawnZA

Created on ‎02-10-2020 06:03 AM

Hi Shawn,

TY, this is very close to what i can see here in our logs.

While we dont have any TCP/7680 packets, and WUDO setting is enabled but on local netwok only.

 

Preview file
332 KB
1990
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.