Hi, has anyone seen anything like this?
On my lab Fortigate, I am seeing 1000's of devices under Dashboard/Users & Devices/Device Inventory that all show offline but being online at some point in the last couple of weeks. They all have IPs starting 198.x.x.x and various macs and vendors and all show on my internal LAN interface.
If I search the traffic logs, there is nothing from 198.x.x.x so not sure where they are coming from.
I have not seen any online at any stage, so wonder if its a bug of some sort?
I am running code 6.4.4 on this device.
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Ricky, thank you for your report. >If I search the traffic logs, there is nothing from 198.x.x.x so not sure where they are coming from.
The device data from device inventory list is from the FGT's device detection engine which is scanning incoming packets on the interfaces via various protocols. However, not all traffic will have logs as it depends on if logging is enabled in forward traffic policies. Some endpoint data are also retrieved from FortiClient/EMS and FortiAP/FortiSwitch so they are not necessary generating pass-through traffic.
You can review the device inventory data via the following commands. The first command should tell you which interface the device was seen on, from how long ago, and from which protocol (via "src").
"diagnose user device list"
"diagnose user device stats"
You can also clear the list and monitor if they come back
"diagnose user device clear"
thuynh wrote:Hi Ricky, thank you for your report. >If I search the traffic logs, there is nothing from 198.x.x.x so not sure where they are coming from.
The device data from device inventory list is from the FGT's device detection engine which is scanning incoming packets on the interfaces via various protocols. However, not all traffic will have logs as it depends on if logging is enabled in forward traffic policies. Some endpoint data are also retrieved from FortiClient/EMS and FortiAP/FortiSwitch so they are not necessary generating pass-through traffic.
You can review the device inventory data via the following commands. The first command should tell you which interface the device was seen on, from how long ago, and from which protocol (via "src").
"diagnose user device list"
"diagnose user device stats"
You can also clear the list and monitor if they come back
"diagnose user device clear"
Thanks for the tips, I have logging on all my internal rules at present. I don't have any Fortiswitch or other Fortigate products on this test network either.
I ran the "diagnose user device list" and see lots of these 198.x.x.x entries (198.x.x.x isnt on my internal LAN), a few examples are below but there are hundreds. :
vd root/0 46:b9:fa:7d:f7:53 gen 66156 req OHUSA/3e created 77897s gen 66155 seen 77897s internal gen 343 ip 198.185.171.95 src arp vd root/0 52:ec:4b:df:9c:3e gen 96567 req OHUSA/3e created 34520s gen 96566 seen 34520s internal gen 463 ip 198.236.30.10 src arp vd root/0 f0:e4:7f:65:fa:11 gen 51644 req OHUSA/3e created 96440s gen 51643 seen 96440s internal gen 281 ip 198.228.46.93 src arp
I also see my valid 192.168.1.x entries, which some of which are src arp and some src http.
If I show the arp table there are only 192.168.1.x entries.
"diagnose user device stats" shows :
Home # diagnose user device stats generation.global 118248 generation.seen 556 generation.deletion 0 count 556 joined 0 create_failed 0 fd 6 hash 2048
I rebooted yesterday which initially cleared all the 198.x.x.x addresses but they soon started coming back !
I also ran a network packet capture, on the fortigate GUI, on the internal interface for a few hours and it only picked up a few valid requests from internal devices (192.168.1.x) to 198.x.x.x addresses on the internet (Windows update I think).
Thanks, Ricky
Hi Ricky, sorry super late response as just got notification on this just now. Were you able to figure out what's going on? Did it go away with the latest FOS version?
>vd root/0 46:b9:fa:7d:f7:53 gen 66156 req OHUSA/3e created 77897s gen 66155 seen 77897s internal gen 343 ip 198.185.171.95 src arp
The IP is a public IP so it's not from private LAN. Is there some script or something scanning your network? Source from ARP which means it's from ARP broadcast.
I'd get in contact with our Support team so they help troubleshooting further.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.