- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Source IP 0.0.0.0 to destination IP 255.255.255.2...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Source IP 0.0.0.0 to destination IP 255.255.255.255 - couldn' t block
Fortigate-100A 2.80,build357,050127
I had a UDP session running that I couldn' t fathom the source of. Worst still, I couldn' t quosh it using the policy statements - which I am guessing is a result of this type of communication not being catered for within the policy engine in this quite recent release.
I used the CLI " diag netlink rtcache list" command to give me a clue (looking at the number that occured after the @ symbol [0.0.0.0@3->255.255.255.255@7). [from UDP 68 to UDP 67]
However irrespective of the rules that I entered using match addresses as host 0.0.0.0 and host 255.255.255.255 - the flow always appeared on the session table (with a counter of 30 seconds).
Should an all 1s broadcast go anywhere, or was it being dumped in the bit bucket by if=root. However I wouldn' t want it to burn up one of my session table entries and felt that I couldn' t do anything about it. I cannot tell what the packet was trying to do without sniffing it further - which I didn' t do.
For info:
10.100.15.137 = via WAN2
diag netlink rtcache
family=02 tab=254 vf=0 type=03 tos=0 flag=90000200
0.0.0.0@3->255.255.255.255@7 gwy=0.0.0.0 prefsrc=10.100.15.137
ci: ref=2 lastused=649 expire=0 err=00000000 used=0 br=0 pmtu=1500
diag netlink interface list
if=lo family=00 type=772 index=1 mtu=16436 link=0 master=0
ref=5 flags=loopback
if=wan1 family=00 type=1 index=2 mtu=1500 link=0 master=0
ref=58 flags=up broadcast run multicast
if=wan2 family=00 type=1 index=3 mtu=1500 link=0 master=0
ref=44 flags=up broadcast run multicast
if=dmz1 family=00 type=1 index=4 mtu=1500 link=0 master=0
ref=6 flags=up broadcast multicast
if=dmz2 family=00 type=1 index=5 mtu=1500 link=0 master=0
ref=6 flags=up broadcast multicast
if=internal family=00 type=1 index=6 mtu=1500 link=0 master=0
ref=71 flags=up broadcast run multicast
if=root family=00 type=772 index=7 mtu=16436 link=0 master=0
ref=23 flags=up loopback run
if=vsys_ha family=00 type=772 index=8 mtu=16436 link=0 master=0
ref=10 flags=up loopback run
if=port_ha family=00 type=1 index=9 mtu=1496 link=0 master=0
ref=4 flags=up broadcast multicast
I' ve tried firewall policies, policy routeing (all 1s addresses are invalid for acceptance), and static routeing (still creates a session table entry even if the host is unreachable by pointing to a next hop that isn' t resolvable).
Not a big oversight and if it is fixed in 2.9-private-beta or 3.0-public-beta - then all is well. However I thought I' d save anyone else from spending time chasing this lost sheep by declaring it on the forum as opposed to entering the trouble as a fault.
1 REPLY 1
Not applicable
Created on 03-02-2006 09:41 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is an old post that I stumbled upon that no one seems to have responded.
Those udp ports 67 and 68 are either bootp or DHCP protocol(s). (DHCP is a subset of BOOTP)
Something is broadcasting (255.255.255.255) -- that' s how dhcp/bootp work. It' s to the local network so you wouldn' t block it at the firewall.
If you really can' t have it, then I think you' d have to block it at the switch level via layer three management most likely. But why would one do that anyway?
Now, you may determine the source first by looking at the ethernet MAC address and then associating the MAC to a host. Some switches will let you associate a port to a MAC address. Now, if you' ve got DHCP relay going, it' s a little harder to do, because the MAC could be that of a router or firewall doing the relay because the broadcast wont leave that ethernet network segment.
I am not an expert.
-Jim
Related Posts
- no traffic in IPSEC vpn tunnel... 111 Views
- Fortigate initiating local traffic for blocked... 191 Views
- Persistent One Way Audio Issues, no... 258 Views
- What does it means? 215 Views
- sd-wan issue 193 Views
Labels
-
FortiGate
6,682 -
FortiClient
1,330 -
5.2
801 -
5.4
639 -
FortiManager
578 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
343 -
FortiAP
340 -
FortiClient EMS
272 -
FortiMail
259 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
110 -
FortiGuard
106 -
FortiSIEM
92 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
79 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
59 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
30 -
SD-WAN
30 -
Firewall policy
29 -
High Availability
24 -
FortiConnect
24 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
Authentication
8 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.