I spent some times on fortianalyzer NOC view. Then i noticed some internal users have a lot of blocked udp outgoing connections. So far nothing looks suspicious on workstations. Whatsoever, i'd really like to understand what is going on.
So if you have any ideas.
ty
Sample
Solved! Go to Solution.
Disable the Windows setting under Delivery Optimization as per the attached screenshot
As soon as the PC is locked Windows will start doing updates (Also a setting that can be changed)
I'm more and more concerned it could be something malicious :
- thousands UDP connections to ISP subscribers IP ranges
- it has started as soon as user locked is windows session, and ended when he came back
- some botnets seems to show that kind of behaviour for c&c communication
Hello,
I would perhaps suggest to use some sort of tool that can track which program/process makes these connections.
Never tried this one but it might be helpful > google fo LiveTcpUdpWatch
Best Regards, Alivo
livo
@OP,
how come you can detect these policy violations in the first place? Do you restrict outbound traffic to 'known' services?
Usually, outbound traffic is allowed by a 'services: all' policy but I think your design is way smarter.
Hello all,
Regarding users internet usage, we set rules to only allow known regular traffic, so it's mostly http and https. That's why some random udp connection like that are put in evidence.
We also checked windows update settings. P2P updates are disabled, and it's managed thru SCCM.
Since yesterday, fortianalyzer logs gave me several other workstations with the same behaviour. So far, windows ATP found nothing.
will keep you informed.
This does look like Win Update traffic over P2P to be honest
Perhaps all settings needs to be re-checked for SCCM then, and just make sure it is off in the registry as well. An update could have enabled it in the registry but it could still show disabled in Windows itself.....
Hi Shawn
Do you have any informations about ports involved ?
MS site says about windows update delivery optimisation:
If you set up Delivery Optimization to create peer groups that include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets), it will use Teredo. For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up.
Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80.
When our logs started filling up with these UDP requests a few months ago (Also blocked, will obviously not allow all traffic out) it took a day to figure out it was Win 10 causing it. I just asked the Server team to disable it via GPO and it stopped. Ports used... well, dynamic ports, thousands of them, it's P2P traffic so you can't really specify the ports...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.