- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- strange DNS traffic
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
strange DNS traffic
Hello all,
We have noticed non-DNS traffic on port 53 from the Fortigate to the Internet (because we have another firewall between the Fortigate and the Internet ;) )
1.2.3.4 1798 208.91.112.196 53 udp flow from InternetTransit:1.2.3.4/1798 to Internet:208.91.112.196/53 terminated by inspection engine, reason - inspector disconnected, dropped packet.
Wireshark shows this:
What is that??
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Most probably this is the Fortiguard Communication for Webfilter and Antispam to the Fortiguard Server.
Check in the WebUI: System > Fortiguard, go to the bottom and open "Webfilter and Antispam".
Here you can configure if the Fortigate should use port 53 or port 8888 for the communication.
Regards,
Sylvia
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sylvia wrote:Most probably this is the Fortiguard Communication for Webfilter and Antispam to the Fortiguard Server.
Check in the WebUI: System > Fortiguard, go to the bottom and open "Webfilter and Antispam".
Here you can configure if the Fortigate should use port 53 or port 8888 for the communication.
But we have that disabled anyway.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Looks like you have disabled the push updates from Fortiguard to your device, however scheduled update requests from your device to Fortiguard are still enabled on port 53. As mentioned you can change this to port 8888.
Also the IP address 208.91.112.196 is in the range owned by Fortinet so probably one of their Fortiguard servers.
Hope that helps
Ian
Web: www.activatelearning.ac.uk
Twitter: twitter.com/activate_learn
Facebook: facebook.com/Activate-Learning
Web: www.activatelearning.ac.uk
Twitter: twitter.com/activate_learn
Facebook: facebook.com/Activate-Learning
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ian Harrison wrote:Looks like you have disabled the push updates from Fortiguard to your device, however scheduled update requests from your device to Fortiguard are still enabled on port 53. As mentioned you can change this to port 8888.
It always seemed to me that the shown ports applied to the webfilter/emailfilter cache section and not to the updates. In any case, the updates are scheduled for every hour, the DNS queries (or should I say the data sent to Fortinet via the DNS port) are there permanently, not only every hour.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ports 53/udp and 8888/udp are indeed used for webfiltering and email (SPAM) filtering. This is not only confined to signature updates; if a webfilter is active each passing URL needs to be categorized. So there is a constant stream of data flowing out and in.
Historically, FortiOS used port 8888/udp to contact the Fortiguard servers (first contact will be to service.fortiguard.net to obtain the list of Fortiguard servers available). Then, especially if the FGT is deployed in transparent mode, upstream firewalls often blocked the high port. Thus the alternative "well known" port 53/udp as DNS requests are most likely (but not always) allowed out.
Nowadays, the upstream firewall may look into DNS traffic and block it as "non-standard" as it is in fact, non-DNS. Sigh.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, but as I have shown in the screenshot, nothing is enabled. So what could be the reason that there still is non-DNS traffic on port 53?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So noone have an idea what kind of info is transmitted via port 53 when potentially everything that could be a trigger to look something up with Fortinet Online Services is disabled?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have found part of an answer: As soon as one of the policy rules has Antivirus enabled, then the strange UDP traffic is there. So it has nothing to do with updates indeed but it is some kind of live traffic stream to Fortinet servers.
It doesn't even seem to matter if Antivirus is set to flow- or proxy-based and what kind of traffic should be proxied.
Working with all these UTM features and what they entail unfortunately seems like info that is hard to come by....
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree with ede_pfau.
Do you have a webfilter enabled on a firewall policy?
FG does a FortiGuard lookup, to get the categories for the websites you are visiting.
This will create exactly this constant stream of queries you see.
I'm not sure if "Detect Connections to Botnet C&C Servers" in the virus profile als queries the FortiGuard Service or it's just using the internal Virus DB.
Related Posts
- Resolve FortiGate Connectivity Issue Same As... 23 Views
- 2 VIP with same external IPs 88 Views
- Limited Network 150 Views
- sd-wan issue 120 Views
- Log messages when forwarding traffic 160 Views
Labels
-
FortiGate
6,553 -
FortiClient
1,307 -
5.2
801 -
5.4
639 -
FortiManager
564 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiAP
336 -
FortiSwitch
334 -
FortiClient EMS
264 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
61 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
Firewall policy
24 -
FortiConnect
24 -
SD-WAN
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
Virtual IP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
IP address management - IPAM
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
Traffic shaping policy
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiDB
3 -
Port policy
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
Web profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Fortinet Engage Partner Program
2 -
TACACS
1 -
4.0MR1
1 -
Schedule
1 -
Users
1 -
SDN connector
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Web rating
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Multicast routing
1 -
Email filter profile
1 -
Zone
1 -
Internet Service Database
1 -
Explicit proxy
1 -
System settings
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.