Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Wilnel
New Contributor

Created on ‎02-12-2019 02:17 PM

Is this normal behavior?

our antivirus guy will send me alerts from symantec. sometimes it gets these hits

[Somebody is scanning your computer. Your computer's TCP ports: 10000, 8910, 70, 32774 and 59906 have been scanned from xxx.xx.1.2.]   xxx.xx.1.2 is the firewall. If i put the host ip that is affected in the forwarded traffic in fortiview I do not see the event listed at the time. is this just some wild traffic from the firewall or could it be something to worry about?

4640
0 Kudos
1 Solution
lobstercreed
Valued Contributor
In response to Wilnel

Created on ‎02-12-2019 03:11 PM

It might depend on the security profile of that PC.  Also, the firewall has to have Layer 2 adjacency to the device in question.  If there is another router in-between, it would not be able to scan those.  If Symantec is configured exactly the same on more than one PC in that network, I would think it would affect more than one, yes. 

The source address being the firewall though seems to indicate that it must be this though and not a random attacker from the Internet.  It would have the attacker's IP address if it was, right?

View solution in original post

2853
0 Kudos
6 REPLIES 6
lobstercreed
Valued Contributor

Created on ‎02-12-2019 02:21 PM

Do you have active scanning turned on for the LAN interface?  This sounds like that feature.

2810
0 Kudos
Wilnel
New Contributor
In response to lobstercreed

Created on ‎02-12-2019 02:23 PM

how do I tell? If it is on shouldn't it be hitting more than one pc?

2818
0 Kudos
Wilnel
New Contributor
In response to Wilnel

Created on ‎02-12-2019 02:32 PM

i do see active scanning is on

2818
0 Kudos
lobstercreed
Valued Contributor
In response to Wilnel

Created on ‎02-12-2019 03:11 PM

It might depend on the security profile of that PC.  Also, the firewall has to have Layer 2 adjacency to the device in question.  If there is another router in-between, it would not be able to scan those.  If Symantec is configured exactly the same on more than one PC in that network, I would think it would affect more than one, yes. 

The source address being the firewall though seems to indicate that it must be this though and not a random attacker from the Internet.  It would have the attacker's IP address if it was, right?

2854
0 Kudos
Wilnel
New Contributor
In response to lobstercreed

Created on ‎02-13-2019 05:23 AM

I wonder why I cant see the traffic of the firewall scanning the pc.

2818
0 Kudos
lobstercreed
Valued Contributor
In response to Wilnel

Created on ‎02-13-2019 10:12 AM

Can't see it where?  In the logs?  I'm not sure what log you would expect to see it under if it's initiated by the FortiGate itself.  You could try turning that feature off and see if you continue to get any alerts from Symantec.

2818
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.