Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

dst_int=root and service=65535

device_id=FGT800xxxxxxxxx log_id=3 subtype=violation type=traffic timestamp=1268952389 pri=warning itime=1268952410 cluster_id=FGT8003607501543_CID vd=root src=10.0.0.15 srcname=10.0.0.15 src_port=2857 dst=xxxxxxxxxx dstname=xxxxxxxxx dst_port=8402 service=8402/tcp proto=6 app_type=N/A duration=0 rule=0 policyid=0 sent=0 rcvd=0 src_int=dmz dst_int=root SN=1920684 carrier_ep=N/A vpn=N/A status=deny user=N/A group=N/A 2 device_id=FGT800xxxxxxxxxx log_id=7 subtype=other type=traffic timestamp=1268952389 pri=notice itime=1268952410 cluster_id=FGT8003607501543_CID vd=root src=10.0.0.15 srcname=10.0.0.15 src_port=2857 dst=xxxxxxxxxx dstname=xxxxxxxxx dst_port=8402 service=65535/tcp proto=6 app_type=N/A duration=0 rule=0 policyid=0 sent=0 rcvd=0 src_int=dmz dst_int=root SN=1920684 carrier_ep=N/A vpn=N/A status=deny user=N/A group=N/A Couple curiousities here I am hoping someone can clear up for me. Here are a couple sample traffic log entries that are representative of ones that I see periodically on a variety of ports, both TCP and UDP. dst_int=root There is no interface on the box named root. Where does the FortiGate think it is routing this traffic? There is a default route that should catch anything. Destinations with specific static routes and even source/destinations with a matching policy route sometimes disappear with these destination interface = root entry. When this occurs, it does do the two related log entries as seen above. One has the dst_port the same as the service, the other has the proper dst_port but service=65535. Normal traffic always has service = dst_port plus TCP or UDP.
1 REPLY 1
Remi_FTNT
Staff
Staff

Hello Sean, The root interface is like the localhost. I would think the logs are due to invalid packets, but not 100% sure. They could be logged if you have " set other-traffic" enabled under " config log fortianalyzer filter" (see also http://kb.fortinet.com/kb/documentLink.do?externalID=11743). For more certitude, a sniffer trace with a filter would help to confirm this : << diag sniff packet any " host a.b.c.d or 10.0.0.15" 6 >> (stop sniffer with CTRL+C). A conversion into a .cap would help to analyze the packets (see Perl script in http://kb.fortinet.com/kb/documentLink.do?externalID=11186). Hope this helps. Remi.
Remi Metzger - PS Consultant EMEA
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors