- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
multiple sessions
gents,
time to time, my fortigate have thousands of sessions see below from screenshot. how to find root cause, how to stop these multiple sessions ? 10.100.10.25 - is our mail server. Currently I am terminating manually.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Umirzak,
Are you expecting outbound traffic from the mail server to those IPs? If not, you can block it using firewall policy.
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
everytime different IPs (
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is another example
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is all the sessions are destined to IP in Indonesia ? If so, we can create an address entry for Indonesia and block all these connections till we find the root cause.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Blocking-Inbound-Access-from-Specific-Coun...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-by-country-or-geolocation/ta-...
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
unfortunately didn't help, different countries, different IPs. gents, can you help me please.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As per this document Fortimail generates SYN packet on port80 for DynDNS.
* FortiMail generates outbound traffic and sends an HTTP SYN request via TCP/80. The Fortinet RSS Feed widget provides a convenient display of the latest security advisories and discovered threats from Fortinet. Also, if an email message contains a shortened URI that redirects to another URI, it would cause FortiMail to send an HTTP SYN request to the shortened URI to get the redirected URI.
Ref: https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/74478/fortimail-open-ports
Do you have dynamic DNS configured?
https://docs.fortinet.com/document/fortimail/7.4.2/cli-reference/810276/system-ddns
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no i don't have fortimail and dynamic dns.
yesterday i just closed all ports from DMZ to WAN except mail service ports. looks OK, but i still dont find root cause
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've hardened my mail server. look like issue resolved.