Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
unknown1020
New Contributor III

malicious connections from the fortigate

friends good day a question:
In our review of malicious connections from the internal network, we observed that there are many malicious connections from the fortigate IP. 

Could you help me with your comments, why is this happening?

currently the fortigate has a vulnerable version and I don't know if it might be related to this.

1 Solution
srajeswaran

Yes, source IP will be of the Firewall if NAT is enabled.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

View solution in original post

6 REPLIES 6
mpandya
Staff
Staff

Hi ,

Could you kindly elaborate on the issue?

 

  1. where is discovered
  2. Any FortiGate malicious detection
  3. Any security profile applied to policy

 

 

 

chauhans
Staff
Staff

Hi @unknown1020 

As I understand from your query, you are observing malicious traffic from Fortigate IP.

+ May I know where is the IP located in Fortigate Firewall?
+ Could you please share security event logs and forward traffic logs with respect to the Malicious IP?
+ Also, you may create Local in policies to block the malicious IP by following below doc. article.
https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/363127/local-in-policies

Thanks,

@chauhans 

srajeswaran
Staff
Staff

You may be hitting https://www.fortiguard.com/psirt/FG-IR-22-398 , can you check if you are seeing connections to below IPs?

Connections to suspicious IP addresses from the FortiGate:

188.34.130.40:444
103.131.189.143:30080,30081,30443,20443
193.36.119.61:8443,444
172.247.168.153:8033
139.180.184.197
66.42.91.32
158.247.221.101
107.148.27.117
139.180.128.142
155.138.224.122
185.174.136.20


More details on https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflo...

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
asengar

Kindly share the malicious IP details and also the forward traffic logs filter with the malicious IP

Do confirm where the IP is configured on the firewall from which you are seeing the malicious connections.

 

Share the below output

dia sys session filter src x.x.x.x  

dia sys session list

 

Thanks

@bhishek
unknown1020
New Contributor III

hello, I discovered that the policy of the publication (vip) had the NAT enabled. So when nat is enabled, that causes the source ip to be nated by the firewall ip, right?

srajeswaran

Yes, source IP will be of the Firewall if NAT is enabled.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors