Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ISOffice
Contributor

Created on ‎12-19-2016 04:21 AM

Mis-Categorisation of DNS Requests

Setup = 2 X FortiGate 100D Hardware Appliances (Active Passive) v5.2.8, build 727. NAT Mode.

Hi all,

We are experiencing a strange situation here and I was wondering if anyone had experienced something similar.

We are seeing entries in traffic logs which indicate DNS requests being made to the online FortiNet DNS Servers (208.91.112.53 & 208.91.112.52) from network clients. Nothing unusual there, but the Application Name being returned in the log entries is not DNS as expected but, WhatsApp & WhatsApp_File.Transfer.

 

 

Has anyone any suggestion as to why these DNS requests are being mis-classified in this way?

 

Many thanks,

 

John P

 

Preview file
79 KB
Labels:
10318
0 Kudos
2 Solutions
ede_pfau
SuperUser
SuperUser

Created on ‎12-19-2016 05:21 AM

Not seen this before but you should open a ticket with Support so that the FortiGuard team is notified.

Ede Kernel panic: Aiee, killing interrupt handler!

View solution in original post

Ede Kernel panic: Aiee, killing interrupt handler!
4199
0 Kudos
SCSIraidGURU
Contributor
In response to ISOffice

Created on ‎12-20-2016 08:10 AM

They are Proto=17 or UDP. 

 

I am wondering what the diag traffic for dstport=53 or dnsproxy would show as the return packet.  We noticed an issue with my IP Connection Error on DNS when I enabled all session logging on the interfaces. 

View solution in original post

4199
0 Kudos
11 REPLIES 11
SCSIraidGURU
Contributor
In response to ISOffice

Created on ‎01-04-2017 08:47 AM

That is the command.  Do a putty session to the firewall.   Set the logs to save to desktop.   Run it and capture the traffic.  See what is going on with it.  diag sniffer packet any 'host xx.xx.xx.xx and port 53' 6 xx.xx.xx.xx can be the workstation, server or WAN port address. 

277
0 Kudos
SCSIraidGURU
Contributor
In response to SCSIraidGURU

Created on ‎01-04-2017 10:42 AM

My problem was buying the base 60E unit without the $350 UTM licenses.   The engineers at Fortinet did not know that part of each feature can be enabled without the $350 licenses.   When I got the right information, I found a solution.  Fortinet management does not think it is necessary to break the base license features from the advanced licensed features because everyone spends the extra money on a unit for your home.  I bought the $830 unit with 24x7 support for the layer 3 routed ports for my Cisco VIRL virtual lab.  I could not justify over $1200 for everything for my home.   Fortinet is thinking in terms of selling today not improving the product for tomorrow.  About your problem, they seems like a we have no clue answer.   I would be curious to see the diag sniffer packet ran on your WAN port as host.   See what is in it that is the results.

277
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.