Hi,
After I updated my Fortigate 60D to 5.6.2,
During the day for about 10 mins and every 30 mins and in mainly from 11.00 - 16.00 ( +2 Italy time ) the box make outbound traffic to apparently random ip's like bottom log. The outbound bandwidth is over the my maximum line capacity ( 2mbit/s max ), traffic widget indicate 8 - 10 mbit/s...
THERE ARE NO DEVICES IN THE INTERNAL SIDE OF FIREWALL GENERATING THIS TRAFFIC.
What it is?
Traffic example generated with:
diagnose sniffer packet wan2 'udp and udp port not 4500 and port not 500'
where wan2 ip is: 10.0.222.2/24
gateway is : 10.0.222.1
195.746724 10.0.222.2 -> 108.30.97.227: ip-proto-17 (frag 14928:1480@1480+) 195.746772 10.0.222.2 -> 108.30.97.227: ip-proto-17 (frag 14928:977@2960) 195.750042 96.239.34.237.45728 -> 10.0.222.2.53: udp 42 195.752212 10.0.222.2.53 -> 96.239.34.237.45728: udp 3929 (frag 36641:1480@0+) 195.752279 10.0.222.2 -> 96.239.34.237: ip-proto-17 (frag 36641:1480@1480+) 195.752323 10.0.222.2 -> 96.239.34.237: ip-proto-17 (frag 36641:977@2960) 195.763911 96.239.34.73.13720 -> 10.0.222.2.53: udp 42 195.765778 10.0.222.2.53 -> 96.239.34.73.13720: udp 3929 (frag 25333:1480@0+) 195.765841 10.0.222.2 -> 96.239.34.73: ip-proto-17 (frag 25333:1480@1480+) 195.765885 10.0.222.2 -> 96.239.34.73: ip-proto-17 (frag 25333:977@2960) 195.804808 96.239.34.142.8502 -> 10.0.222.2.53: udp 42 195.806905 10.0.222.2.53 -> 96.239.34.142.8502: udp 3929 (frag 55854:1480@0+) 195.806975 10.0.222.2 -> 96.239.34.142: ip-proto-17 (frag 55854:1480@1480+) 195.807019 10.0.222.2 -> 96.239.34.142: ip-proto-17 (frag 55854:977@2960) 195.846452 96.239.34.56.39994 -> 10.0.222.2.53: udp 42 195.848306 10.0.222.2.53 -> 96.239.34.56.39994: udp 3929 (frag 25046:1480@0+) 195.848375 10.0.222.2 -> 96.239.34.56: ip-proto-17 (frag 25046:1480@1480+) 195.848420 10.0.222.2 -> 96.239.34.56: ip-proto-17 (frag 25046:977@2960) 195.936198 96.239.34.159.37187 -> 10.0.222.2.53: udp 42 195.938360 10.0.222.2.53 -> 96.239.34.159.37187: udp 3929 (frag 13557:1480@0+) 195.938436 10.0.222.2 -> 96.239.34.159: ip-proto-17 (frag 13557:1480@1480+) 195.938482 10.0.222.2 -> 96.239.34.159: ip-proto-17 (frag 13557:977@2960) 195.961259 108.30.97.181.55902 -> 10.0.222.2.53: udp 42 195.963349 10.0.222.2.53 -> 108.30.97.181.55902: udp 3929 (frag 48810:1480@0+) 195.963417 10.0.222.2 -> 108.30.97.181: ip-proto-17 (frag 48810:1480@1480+) 195.963463 10.0.222.2 -> 108.30.97.181: ip-proto-17 (frag 48810:977@2960) 195.986141 10.0.222.2.65167 -> 192.168.131.188.161: udp 78 196.213749 96.239.34.174.17304 -> 10.0.222.2.53: udp 42 196.216424 10.0.222.2.53 -> 96.239.34.174.17304: udp 3929 (frag 34689:1480@0+) 196.216494 10.0.222.2 -> 96.239.34.174: ip-proto-17 (frag 34689:1480@1480+) 196.216539 10.0.222.2 -> 96.239.34.174: ip-proto-17 (frag 34689:977@2960)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
That appears to be DNS traffic. Check the firewall DNS settings. It appears it is searching for a DNS server and not reaching one (quickly at least) and is generating more requests outbound.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
I would seriously doubt that this is legitimate DNS traffic - the packet size is far too large (3 KB?).
Then, 96.239.34.237 is not an external DNS as far as I can see. You will know better.
If this is not DNS traffic then some app is tunneling across the DNS port, and that most probably is malicious.
But besides all the worries about the content it appears that many packets are fragmented. Check the MTU your line can sustain without fragmenting (using the ping method). This is not common to see in sniffer output.
rwpatterson wrote:That appears to be DNS traffic. Check the firewall DNS settings. It appears it is searching for a DNS server and not reaching one (quickly at least) and is generating more requests outbound.
thanks for answer, My system dns was two internal domain controllers, of which the secondary is actually off. Now I set Fortinet DNS's servers and I wait and see.
ede_pfau wrote:hi,I would seriously doubt that this is legitimate DNS traffic - the packet size is far too large (3 KB?).
Then, 96.239.34.237 is not an external DNS as far as I can see. You will know better.
If this is not DNS traffic then some app is tunneling across the DNS port, and that most probably is malicious.
But besides all the worries about the content it appears that many packets are fragmented. Check the MTU your line can sustain without fragmenting (using the ping method). This is not common to see in sniffer output.
1 - While this issue happened, I disconnected all internal LANs, but high traffic still run.
2 - I'm not deep expert in tcp protocol and diagnose sniffer command, but the packets with ip-proto-17 ( frag:23xxx ) notation start to appear only while the issue is running.
a lot of thanks for your answers.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.