- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Rare UDP Traffic
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rare UDP Traffic
Hello to all.
We have a Fortigate with a managed FortiAP
But now, we see a lot of traffic from the Interface asigned to the fortiAp to the last IP of the blok and port udp/6096, we check all te know common ports in the version 6.4 but no found any information.
This is an example,
FROM TO PROTO LENGTH SRC PORT DST PORT
10.10.10.1 10.10.10.255 UDP 87 20530 → 6096 Len=45
We run a packet capture and open in wireshark, but can't see some relevant.
Can somebody tell me some about this issue?
Thnks to all!
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The last IP of the subnet means that this is a broadcast traffic. Do you know if the CAPWAP port is changed in this setup?
You can run this command to check the configuration of the AP:
# cfg -s
- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
If you have found a solution, please like and accept it to make it easily accessible for others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @ebilcari Emirjon, the config for the AP i'ts deploy from the Fortigate as usual, not local config, and yes i'ts like broadcast but in another port like never seen before. This comand "cfg -s" i'ts on the FortiAP directly? on the Fortigate i'ts unknown.
This is the config on the VAP
edit "Wlan_01"
set vdom "01"
set fast-roaming enable
set external-fast-roaming disable
set mesh-backhaul disable
set max-clients 10
set ssid "WLan"
set broadcast-ssid enable
set security wpa2-only-personal
set pmf disable
set voice-enterprise disable
set fast-bss-transition disable
set eapol-key-retries enable
set radius-mac-auth disable
set encrypt AES
set local-standalone disable
set local-bridging disable
set intra-vap-privacy enable
set schedule "Office"
set ldpc rxtx
set mpsk disable
set split-tunneling disable
set vlanid 0
set multicast-rate 0
set multicast-enhance disable
set broadcast-suppression dhcp-up dhcp-down dhcp-starvation arp-known arp-unknown arp-reply arp-poison arp-proxy netbios-ns netbios-ds ipv6 all-other-mc all-other-bc
set me-disable-thresh 32
set probe-resp-suppression disable
set radio-sensitivity disable
set quarantine enable
set vlan-pooling disable
set dhcp-option82-insertion disable
set gtk-rekey disable
set qos-profile ''
unset rates-11a
unset rates-11bg
unset rates-11n-ss12
unset rates-11n-ss34
unset rates-11ac-ss12
unset rates-11ac-ss34
set passphrase ENC .....
next
Where can i run the comand #"cfg -s"
Thnks for all Emirjon
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the output for the command cfg -s
BAUD_RATE:=9600
LOGIN_PASSWD_ENC:=
ADMIN_TIMEOUT:=5
WANLAN_MODE:=WAN-ONLY
ADDR_MODE:=DHCP
AP_IPADDR:=192.168.1.2
AP_NETMASK:=255.255.255.0
IPGW:=192.168.1.1
AP_MODE:=0
DNS_SERVER:=208.91.112.53
STP_MODE:=0
AP_MGMT_VLAN_ID:=0
ALLOW_TELNET:=2
ALLOW_HTTP:=2
ALLOW_HTTPS:=2
ALLOW_SSH:=2
DDNS_ENABLE:=0
AC_DISCOVERY_TYPE:=0
AC_IPADDR_1:=192.168.1.1
AC_IPADDR_2:=
AC_IPADDR_3:=
AC_HOSTNAME_1:=_capwap-control._udp.example.com
AC_HOSTNAME_2:=
AC_HOSTNAME_3:=
AC_DISCOVERY_MC_ADDR:=224.0.1.140
AC_DISCOVERY_DHCP_OPTION_CODE:=138
AC_DISCOVERY_FCLD_APCTRL:=
AC_DISCOVERY_FCLD_ID:=
AC_DISCOVERY_FCLD_PASSWD_ENC:=
AC_CTL_PORT:=5246
AP_DATA_CHAN_SEC:=clear,ipsec,dtls
MESH_AP_TYPE:=0
MESH_MAX_HOPS:=4
MESH_SCORE_HOP_WEIGHT:=50
MESH_SCORE_CHAN_WEIGHT:=1
MESH_SCORE_RATE_WEIGHT:=1
MESH_SCORE_BAND_WEIGHT:=100
MESH_SCORE_RSSI_WEIGHT:=100
LED_STATE:=2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's possible to list the connections like ss or netstat in the CLI of the FortiAp? If i can see the traffic, can match the PID associate and know what feature are using this, i just think
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not aware that such command exist in the AP. I guess this may be some dynamic port but I can't think about its service. What is the pattern of this broadcast traffic and is it always using the same port 6096?
- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
If you have found a solution, please like and accept it to make it easily accessible for others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Related Posts
- Log messages when forwarding traffic 126 Views
- LDAPS issue, 'Can't contact LDAP server' 331 Views
- SD-WAN and none interface 106 Views
- Force the routing of a domain... 109 Views
- Two different websites (domains) on two... 106 Views
Labels
-
FortiGate
6,531 -
FortiClient
1,303 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.