Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
joseph3325
New Contributor

Firewall DNS Operation Question

Hello All, 

We have noticed in our SIEM that we are receiving an insane amount of DNS logs from our Fortigates for some specific domains. 

These are:

update.microsoft.com swscan.apple.com softwareupdate.vmware.com play.google.com autoupdate.opera.com auth.gfx.ms

 

I know that these are some default domains in the firewall - I believe that they may be defaulted as SSL decryption ignore. (but not 100% positive)

 

My real question is how to have the Fortigates stop sending SIEM millions of these events every day and why are these domains specifically doing it? Is something misconfigured?? 

Thanks!

2 REPLIES 2
petertavenier
New Contributor

Got this same issue and found this old question.

 

softwareupdate.vmware.com and auth.gfx.ms where the one my DNS server noticed. I'm not using the default SSL deep-inspection profile, but I'm also not able to remove it (FortiGate-30D). I noticed the TTL is very short (20 seconds) on this two domains.

 

# diagnose test application dnsproxy 6
worker idx: 0
vfid=0 name=auth.gfx.ms ver=IPv4 timer running,  min_ttl=20:4, cache_ttl=0 , slot=-1, num=1
         95.101.59.100 (ttl=20:10:10)
vfid=0 name=softwareupdate.vmware.com ver=IPv4 timer running,  min_ttl=9:4, cache_ttl=0 , slot=-1, num=1
         2.17.220.33 (ttl=9:9:9)
## filtered

this link might help;

https://kb.fortinet.com/kb/documentLink.do?externalID=FD32406

 

ede_pfau

...so that would mean by overriding the TTL with a larger value one would effectively disable the round-robin algorithm (to one change per hour).

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors