Hello everyone,
I am using FortiGate 60F with FortiOS 7.2.8. When I opened the Device Inventory Monitor in the management console, it detected as many as 5000 devices. Normally, there are fewer than 100 devices.
No IP addresses are displayed, and the MAC addresses shown are also unnatural. The detected interface v170 segment is a /24 LAN. I believe this detection is a bug. When I restart the FortiGate, it returns to the normal number of devices.
Has anyone else experienced a similar issue?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @earthlab ,
If it's not a bug, I think one device on your network did a Mac spoofing attack. Because these mac addresses are created randomly.
If you have a network access control device (NAC) you can detect that device. Or you can review your FortiGate system logs maybe FortiGate shows something about that.
Thank you for your response. I also considered the possibility of spoofing, but the number of detected devices is too large for that. Additionally, the detected devices have MAC addresses like 00:00:00:00:00:00, 00:00:00:00:00:01, etc., which seems strange for an attack.
Unfortunately, there is no NAC on this network. This device sends logs to the FortiGate Cloud, but I haven't found any clues there.
I tried to capture mac address on the next of fortigate v170 side L2 intelligent switch.
* The switch's MAC address-table aging time is over 10 days.
uplink----FG ---*----L2SW**-----other devices.
*It has only one connection , and it runs vlan170.
**FDB is here I checked.
And then the swich's FDB talbes said there ware 65 mac addresses.
But Fortigate said 196 devices.
the 196 devices includes bit Multicast address but still too many.
I think thant, if some deveic did a Mac spoofing attack, the Switch will capture mac addresses. isn't it?
Normally there are over 50 devices.
Hey earthlab,
I have not seen that before, and as the devices have disappeared post reboot it is hard to say what happened.
If this reoccurs, you can use this command:
#dia user device list
It dumps the devices, including some information on how the devices were detected; that might give you a better idea of where the device entries come from.
You can also clear the device list that way (without needing to reboot):
#dia user device clear
Cheers,
Debbie
@Debbie_FTNT
Thank you for your response.
>#dia user device list
I have the output of the command.
Like
vd root/0 b0:00:00:00:00:00 gen 248084 req OHUSA/3e
created 1969194s gen 228011 seen 1916738s v170 gen 183728
.... there are so many output.
I found out what time it was detected, but there were no particular abnormalities during that time.
I'm going to think about detecting MAC address snooping outside of the FortiGate.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.