Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
wotik
New Contributor III

Local in policy UDP traffic: 0,137,138

Hi

 

1. I am having trouble identifying the traffic that is taking place on UDP ports 137 and 138 on some hosts in my network. In the Fortigate logs they look like this:

 

date="2023-03-31" time="09:43:53" id=7216628389765971970 bid=5122846 dvid=1043 itime=1680252233 euid=102 epid=102 dsteuid=102 dstepid=102 logflag=103 logver=702041396 type="traffic" subtype="local" level="notice" action="deny" policyid=0 sessionid=10001414 srcip="IP_HOST" dstip="BROADCAST_ADDRESS" srcport=137 dstport=137 trandisp="noop" duration=0 proto=17 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 logid="0001000014" srcname="HOST_NAME" service="udp/137" app="netbios forward" appcat="unscanned" srcintfrole="lan" dstintfrole="undefined" srcserver=0 policytype="local-in-policy" eventtime=1680252233039724380 srcmac="HOST_MAC" mastersrcmac="HOST_MAC" srchwvendor="Dell" srcswversion="10" osname="Windows" srccountry="Reserved" dstcountry="Reserved" srcintf="internal" dstintf="root" tz="+0200" devid="FGT60FXXXXXXXXX" vd="root" devname="FG_NAME"

 

date="2023-03-31" time="09:14:35" id=7216620843508432896 bid=5122479 dvid=1043 itime=1680250476 euid=102 epid=102 dsteuid=102 dstepid=102 logflag=103 logver=702041396 type="traffic" subtype="local" level="notice" action="deny" policyid=0 sessionid=9992926 srcip="IP_HOST" dstip="BROADCAST_ADDRESS" srcport=138 dstport=138 trandisp="noop" duration=0 proto=17 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 logid="0001000014" srcname="HOST_NAME" service="udp/138" app="netbios forward" appcat="unscanned" srcintfrole="lan" dstintfrole="undefined" srcserver=0 policytype="local-in-policy" eventtime=1680250474612850760 srcmac="HOST_MAC" mastersrcmac="HOST_MAC" srchwvendor="HP" srcswversion="10" osname="Windows" srccountry="Reserved" dstcountry="Reserved" srcintf="internal" dstintf="root" tz="+0200" devid="FGT60FXXXXXXXXXX" vd="root" devname="FG_NAME"

 

I know, of course, that this is NetBIOS communication used in file and printer sharing in Windows. However, I don't really know how to identify its source on a given host. On some hosts it is present and on others it is not.

 

2. Sometimes there is also blocked network traffic on FG, visible in the logs as UDP/0, e.g.:

 

date="2023-03-30" time="13:47:02" id=7216319963869478927 bid=5107844 dvid=1043 itime=1680180422 euid=102 epid=102 dsteuid=102 dstepid=102 logflag=103 logver=702041396 type="traffic" subtype="local" level="notice" action="deny" policyid=0 sessionid=9747672 srcip="IP_HOST" dstip="IP_GATEWAY (FG)" srcport=49427 dstport=0 trandisp="noop" duration=0 proto=17 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 logid="0001000014" srcname="HOST_NAME" service="udp/0" app="Local Switch Controller" appcat="unscanned" srcintfrole="lan" dstintfrole="undefined" srcserver=0 policytype="local-in-policy" eventtime=1680180422197293000 crscore=5 craction=262144 crlevel="low" srcmac="HOST_MAC" mastersrcmac="HOST_MAC" srchwvendor="Dell" srcswversion="10" osname="Windows" srccountry="Reserved" dstcountry="Reserved" srcintf="internal" dstintf="root" threatwgts="{5}" threatcnts="{1}" threatlvls="{1}" threats="{failed-connection}" threattyps="{failed-connection}" tz="+0200" devid="FGT60FXXXXXXXXX" vd="root" devname="FG_NAME"

 

I'm looking but I don't know what it could be...

Any ideas?

 

Best Regards,
Wojtek
Best Regards,Wojtek
2 REPLIES 2
gfleming
Staff
Staff

You've answered it yourself pretty much. It is NetBIOS broadcast traffic being denied by the FortiGate's local-in policy. It is totally benign. If you don't want it disable it on your hosts.

 

As for the dstport=0 that is odd. How often do you see that one? Might be worth doing a packet capture on the host to get some more details? You should be able to glean something from the payload possibly.

Cheers,
Graham
pavankr5
Staff
Staff

Hello @wotik 

1. NetBIOS communication on UDP ports 137 and 138 is used for file and printer sharing in Windows. To identify its source on a given host, take a Wireshark packet capture for the network traffic on those ports. Look for packets with a NetBIOS header, which contains information about the source and destination hosts, as well as the type of NetBIOS service being requested. You can use this information to trace the source of the NetBIOS traffic on your network.


2. UDP traffic on port 0 is often used as a placeholder when the port number is not known or not relevant. In the case of your Fortigate logs, the "udp/0" traffic is likely just background noise or chatter on your network, and is being blocked by the firewall as a precautionary measure. Unless you notice any specific issues or anomalies on your network, this traffic can be ignored. As informed by @gfleming it is better to take a packet capture on the host to get more details.

Best Regards,

Pavan

Labels
Top Kudoed Authors