Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umirzak
New Contributor III

Created on ‎06-18-2024 05:48 AM Edited on ‎06-18-2024 05:49 AM

multiple sessions

gents,

time to time, my fortigate have thousands of sessions see below  from screenshot. how to find root cause, how to stop these multiple sessions ? 10.100.10.25 - is our mail server. Currently I am terminating manually. 

 

error3.png

 

error4.png

 

AJ
AJ
Labels:
892
0 Kudos
8 REPLIES 8
hbac
Staff
Staff

Created on ‎06-18-2024 06:25 AM

Hi @Umirzak,

 

Are you expecting outbound traffic from the mail server to those IPs? If not, you can block it using firewall policy. 

 

Regards, 

877
Umirzak
New Contributor III

Created on ‎06-18-2024 09:19 PM

everytime different IPs (

AJ
AJ
845
0 Kudos
Umirzak
New Contributor III

Created on ‎06-18-2024 10:38 PM

this is another example 

 

error5.png

 

AJ
AJ
829
0 Kudos
srajeswaran
Staff
Staff
In response to Umirzak

Created on ‎06-18-2024 10:49 PM

Is all the sessions are destined to IP in Indonesia ? If so, we can create an address entry for Indonesia and block all these connections till we find the root cause.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Blocking-Inbound-Access-from-Specific-Coun...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-by-country-or-geolocation/ta-...

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
825
Umirzak
New Contributor III
In response to srajeswaran

Created on ‎06-19-2024 12:50 AM

unfortunately didn't help, different countries, different IPs. gents, can you help me please. 

AJ
AJ
809
0 Kudos
srajeswaran
Staff
Staff
In response to Umirzak

Created on ‎06-19-2024 03:06 AM

As per this document Fortimail generates SYN packet on port80 for DynDNS.

* FortiMail generates outbound traffic and sends an HTTP SYN request via TCP/80. The Fortinet RSS Feed widget provides a convenient display of the latest security advisories and discovered threats from Fortinet. Also, if an email message contains a shortened URI that redirects to another URI, it would cause FortiMail to send an HTTP SYN request to the shortened URI to get the redirected URI.
Ref: https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/74478/fortimail-open-ports
Do you have dynamic DNS configured?


https://docs.fortinet.com/document/fortimail/7.4.2/cli-reference/810276/system-ddns

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
793
0 Kudos
Umirzak
New Contributor III

Created on ‎06-19-2024 10:28 PM

no i don't have fortimail and dynamic dns. 

yesterday i just closed all ports from DMZ to WAN except mail service ports. looks OK, but i still dont find root cause 

AJ
AJ
735
0 Kudos
Umirzak
New Contributor III

Created on ‎06-20-2024 10:04 PM

I've hardened my mail server. look like issue resolved. 

AJ
AJ
707
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.