Hello,

I was trying to set up a new subnet and DHCP scope on my LAN.  I noticed on my DHCP server that BAD_ADDRESS placeholders were filling in many off the addresses in the range.  I looked on my core switch and there was no corresponding ARP entry.  I did a port scan on NMAP of the IP and got the following output:

Starting Nmap 7.70 ( [link]https://nmap.org[/link] ) at 2018-08-27 14:10 Central Daylight Time Nmap scan report for 192.168.73.105 Host is up (0.0019s latency). Not shown: 65524 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp? 25/tcp open smtp? 80/tcp open http? 110/tcp open pop3? 113/tcp closed ident 135/tcp open msrpc? 143/tcp open imap? 443/tcp open https? 8008/tcp open http 8010/tcp open ssl/http-proxy FortiGate Web Filtering Service 8020/tcp open http-proxy FortiGate Web Filtering Service

Browsing to ports 8008, 8010, or 8020 takes me to a page titled "Web Filter Block Override" with the message in the title.  I tried a few other IPs on the subnet and they yielded the same result.  Finally, I swept a different /24 subnet that doesn't have a gateway on my network with nmap -sn and all the hosts showed up.  Any host I ran a port scan on came back with the same result as above, and the 8000 ports lead to the same webpage.  I do have a FortiGate 200E with web filtering enabled, but is this normal behavior? We also use FortiClient on our endpoints that are managed by a separate EMS server if that could play any role.

If anyone has an idea of what is happening here, I'd definitely appreciate an explanation.