Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RD
New Contributor

SSL.RSA.Temporary.Key.Security.Bypass

All,

 

Can anybody here assist me with outbound traffic events. (from a small number of our internal hosts to the internet)

 

Event: SSL.RSA.Temporary.Key.Security.Bypass

Additional information: http://www.fortinet.com/ids/VID40207

 

Since a few months a fairly small number of machines generate an awful lot outbound events to specific IP addresses.

We are pretty confident this is not something to be worried about as we have leveraged additional tools to investigate our internal hosts. Still very interested what this can be related to.

 

As a reference point, in the month of January 3 hosts generated 40825 events.

 

Following IP addresses are noted for these 3 hosts as the Destination address they are communicating with. (AT&T addresses belonging to CerfNet)

 

12.130.55.203: 14928 events

12.130.55.186: 5279 events

12.130.55.56: 10519 events

12.130.55.172: 3346 events

12.130.55.187: 3386 events

206.19.56.155: 3347 events

 

Anybody any idea?

 

R

1 Solution
Patrickh99
New Contributor II

I get the alert from a program called ATT Connect.  It is a Webex type program that AT&T uses for their teleconferences that auto-starts and runs in the background on PCs. It does some communication in the background every few minutes to generate the alerts.

 

I have not figured out how to get rid of the alert other than shutting off the program.

View solution in original post

3 REPLIES 3
AndrewG
New Contributor

Same thing here but with IP 12.130.142.57. Nothing w/ virus total. i'm considering scanning for vuls using metaspolit.

Only happening on one single machine, many times a hour.

1 09:46:13 FGT90D3Z140xxxxx deny 192.168.x.x 12.130.142.57 SSL_SSLv2 HTTPS block APP1IPS1 SSL.RSA.Temporary.Key.Security.Bypass

Patrickh99
New Contributor II

I get the alert from a program called ATT Connect.  It is a Webex type program that AT&T uses for their teleconferences that auto-starts and runs in the background on PCs. It does some communication in the background every few minutes to generate the alerts.

 

I have not figured out how to get rid of the alert other than shutting off the program.

RD
New Contributor

Thanks!

 

I am in process of confirming this information and it looks to be indeed the root cause for this traffic.

Interesting on our side is that we use AT&T's managed service for IDS/IPS.

 

I will open a case with them to investigate their own software.

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors