Hello all,
We have noticed non-DNS traffic on port 53 from the Fortigate to the Internet (because we have another firewall between the Fortigate and the Internet ;) )
1.2.3.4 1798 208.91.112.196 53 udp flow from InternetTransit:1.2.3.4/1798 to Internet:208.91.112.196/53 terminated by inspection engine, reason - inspector disconnected, dropped packet.
Wireshark shows this:
What is that??
Most probably this is the Fortiguard Communication for Webfilter and Antispam to the Fortiguard Server.
Check in the WebUI: System > Fortiguard, go to the bottom and open "Webfilter and Antispam".
Here you can configure if the Fortigate should use port 53 or port 8888 for the communication.
Regards,
Sylvia
Sylvia wrote:Most probably this is the Fortiguard Communication for Webfilter and Antispam to the Fortiguard Server.
Check in the WebUI: System > Fortiguard, go to the bottom and open "Webfilter and Antispam".
Here you can configure if the Fortigate should use port 53 or port 8888 for the communication.
But we have that disabled anyway.
Hi
Looks like you have disabled the push updates from Fortiguard to your device, however scheduled update requests from your device to Fortiguard are still enabled on port 53. As mentioned you can change this to port 8888.
Also the IP address 208.91.112.196 is in the range owned by Fortinet so probably one of their Fortiguard servers.
Hope that helps
Ian
Web: www.activatelearning.ac.uk
Twitter: twitter.com/activate_learn
Facebook: facebook.com/Activate-Learning
Ian Harrison wrote:Looks like you have disabled the push updates from Fortiguard to your device, however scheduled update requests from your device to Fortiguard are still enabled on port 53. As mentioned you can change this to port 8888.
It always seemed to me that the shown ports applied to the webfilter/emailfilter cache section and not to the updates. In any case, the updates are scheduled for every hour, the DNS queries (or should I say the data sent to Fortinet via the DNS port) are there permanently, not only every hour.
Ports 53/udp and 8888/udp are indeed used for webfiltering and email (SPAM) filtering. This is not only confined to signature updates; if a webfilter is active each passing URL needs to be categorized. So there is a constant stream of data flowing out and in.
Historically, FortiOS used port 8888/udp to contact the Fortiguard servers (first contact will be to service.fortiguard.net to obtain the list of Fortiguard servers available). Then, especially if the FGT is deployed in transparent mode, upstream firewalls often blocked the high port. Thus the alternative "well known" port 53/udp as DNS requests are most likely (but not always) allowed out.
Nowadays, the upstream firewall may look into DNS traffic and block it as "non-standard" as it is in fact, non-DNS. Sigh.
Ok, but as I have shown in the screenshot, nothing is enabled. So what could be the reason that there still is non-DNS traffic on port 53?
So noone have an idea what kind of info is transmitted via port 53 when potentially everything that could be a trigger to look something up with Fortinet Online Services is disabled?
I have found part of an answer: As soon as one of the policy rules has Antivirus enabled, then the strange UDP traffic is there. So it has nothing to do with updates indeed but it is some kind of live traffic stream to Fortinet servers.
It doesn't even seem to matter if Antivirus is set to flow- or proxy-based and what kind of traffic should be proxied.
Working with all these UTM features and what they entail unfortunately seems like info that is hard to come by....
I agree with ede_pfau.
Do you have a webfilter enabled on a firewall policy?
FG does a FortiGuard lookup, to get the categories for the websites you are visiting.
This will create exactly this constant stream of queries you see.
I'm not sure if "Detect Connections to Botnet C&C Servers" in the virus profile als queries the FortiGuard Service or it's just using the internal Virus DB.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.