Morning everyone!
I have a strange issue happening every 5 minutes overnight. Hopefully the logs will help explain because I have no clue why a users computer is trying to do an SMB share over night every 5 minutes and to another internal IP address when that address isn't even available in our subnet(s)... This alert string started Sunday 12:04AM and every 5 minutes sent me an email alert until 4:46AM Sunday. As of this writing at 9:18AM I have not seen any new emails since 4:46AM. I am running firmware 6.4.5.
Message meets Alert condition
date=2021-05-02 time=04:42:44 devname=FG101E4Q1700XXXX devid=FG101E4Q1700XXXX eventtime=161994856468459XXXX tz="-0500" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.1.2 srcport=27551 srcintf="lan" srcintfrole="lan" dstip=10.0.0.49 dstport=139 dstintf="wan1" dstintfrole="wan" srccountry="Reserved" dstcountry="Reserved" sessionid=27115274 proto=6 action="deny" policyid=8 policytype="policy" poluuid="01ca75aa-d9d3-51e7-7b0d-95c6322a96b2" policyname="Restricted Services" user="PCIADMIN" authserver="PCI-Server2016" dstuser="LPA" service="SAMBA" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high" mastersrcmac="98:f2:b3:b7:6X:XX" srcmac="98:f2:b3:b7:6X:XX" srcserver=0
Message meets Alert condition
date=2021-05-02 time=04:42:42 devname=FG101E4Q1700XXXX devid=FG101E4Q1700XXXX eventtime=1619948562496900502 tz="-0500" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.1.2 srcport=27550 srcintf="lan" srcintfrole="lan" dstip=10.0.0.49 dstport=445 dstintf="wan1" dstintfrole="wan" srccountry="Reserved" dstcountry="Reserved" sessionid=27115260 proto=6 action="deny" policyid=8 policytype="policy" poluuid="01ca75aa-d9d3-51e7-7b0d-95c6322a96b2" policyname="Restricted Services" user="PCIADMIN" authserver="PCI-Server2016" dstuser="LPA" service="SMB" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high" mastersrcmac="98:f2:b3:b7:6X:XX" srcmac="98:f2:b3:b7:6X:XX" srcserver=0
Thanks for any help possible!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.