I've recently setup the new Shodan Monitoring service from Shodan for all the world routeable IP's that the organisation I work for owns. I'm getting some strange results that are potentially false positives but are concerning me slightly. The results I keep getting are for IP addresses that aren't currently in use and always reference ports 8008 and 8010 which are the web filter bypass ports for our Fortigate firewall. Here is an example of the result I'm getting. // Trigger: uncommon // Port: 8008 / tcp // Hostname(s): // Timestamp: 2019-04-02T05:59:49.229479 // Alert ID: ###.###.###.* (################) Banner (http-simple-new) HTTP/1.1 302 Found Location: [link]https://###.###.###.188:8010/[/link] Connection: close X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors My concerns are I can't seem to replicate this result in a normal shodan query (this is often run at least 15 minutes after the report) and the detection rate of these seems to increase during "out of hours" (notably between midnight and 7am local time as well as Sundays). Is anyone else using Shodan Monitoring and a Fortigate seeing similar results?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1742 | |
1113 | |
759 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.