Hello,
I have a problem with multicast packets forwarding on Fortigate 60E v 6.0.10 in NAT mode. On WAN interface i see multicast, broadcast and ARP packets forwarded from Lan interface (internal1). I changed muticast settings on "config system setting" to "set muticast-forward disable", but it changed nothing. Settings of broadcast and netbios forwarding on LAN interface are also disabled. Even when i create multicast policies to drop any broadcast traffic, there are still unwanted packets on WAN interface. Is this kind of bug or there are other settings or policies to prevent that forwarding?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
It is preferable to understand the traffic flow before implementing any policy to block it; you can upload a packet flow sample and, if possible, sniffer logs.
# di sniffer packet any "host x.x.x.x" 6 0 l
Replace x.x.x.x with the IP address of the Multicast Group.
Current settings:
muticast-forward disable
all mullticast policies disabled
Traffic flow below (filter: addr 192.168.15.255 - broadcast on internal1 interface)
Sniffer result below (di sniffer packet any "host 192.168.15.255" 6 100 l)
Hi Peter,
With reference to the packet captures, I see Fortigate interfaces are receving an NBNS queries from multiple downstream devices
such as IntelCor_d2:df:16 (SMAC:80:00:0b:d2:df:16) on WAN2 interface, G-ProCom_49:ed:a1 (SMAC:00:23:24:49:ed:a1) on internal1 interface, etc..and it's getting dropped.
Basically, the NetBIOS Name Service (NBNS) is a component of the NetBIOS-over-TCP/IP (NBT/NetBT) protocol suite,
which enables legacy computer programs that utilize the NetBIOS Application Programming Interface (API) to run on TCP/IP networks.
You may even use the following custom IPS signature to block NBNS traffic of type NBSTAT:
F-SBID( --name "NetBIOS.Name.Service.NBSTAT.Scan.Custom"; --protocol udp; --flow from_client; --dst_port 137; --data_size =50; --pattern "|00 10 00 01|"; --context packet; --distance 2,context; --within 4,context; --pattern "|20434b4141414141|"; --context packet; --distance 6; --within 8; --rate 5,20; --track src_ip;)
The "--rate 5,20"
This signature would trigger if this type of NetBIOS packet is identified 5 times within a 20-second time frame.
you can adjust the threshold as necessary. (Note that this signature might cause false positives)
Thank You, I will try this
Problem solved. My switch VLAN configuration has reset to defaults, and after reconfiguration it works properly. Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.