friends good day a question:
In our review of malicious connections from the internal network, we observed that there are many malicious connections from the fortigate IP.
Could you help me with your comments, why is this happening?
currently the fortigate has a vulnerable version and I don't know if it might be related to this.
Solved! Go to Solution.
Yes, source IP will be of the Firewall if NAT is enabled.
Hi ,
Could you kindly elaborate on the issue?
Hi @unknown1020
As I understand from your query, you are observing malicious traffic from Fortigate IP.
+ May I know where is the IP located in Fortigate Firewall?
+ Could you please share security event logs and forward traffic logs with respect to the Malicious IP?
+ Also, you may create Local in policies to block the malicious IP by following below doc. article.
https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/363127/local-in-policies
Thanks,
You may be hitting https://www.fortiguard.com/psirt/FG-IR-22-398 , can you check if you are seeing connections to below IPs?
Connections to suspicious IP addresses from the FortiGate:
188.34.130.40:444
103.131.189.143:30080,30081,30443,20443
193.36.119.61:8443,444
172.247.168.153:8033
139.180.184.197
66.42.91.32
158.247.221.101
107.148.27.117
139.180.128.142
155.138.224.122
185.174.136.20
More details on https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflo...
Kindly share the malicious IP details and also the forward traffic logs filter with the malicious IP
Do confirm where the IP is configured on the firewall from which you are seeing the malicious connections.
Share the below output
dia sys session filter src x.x.x.x
dia sys session list
Thanks
hello, I discovered that the policy of the publication (vip) had the NAT enabled. So when nat is enabled, that causes the source ip to be nated by the firewall ip, right?
Yes, source IP will be of the Firewall if NAT is enabled.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.