Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Holy
Contributor

FortiMail generates DNS.Invalid.OPcode IPS Alerts all the time

Hello,

 

i have a FortiMail VM behind a FortiGateVM in a lab environment. all the DNS Request that goes through the Fortigate generates always the Same IPS Alert "DNS.Invalid.OPcode"  its UDP: 53

 

it´s realy annoying cause i get all my logs full of this IPS Alerts. 

 

Do you have any idea why that happens and hove to avoid that?

 

Thank you.

NSE 8 

NSE 1 - 7

 

1 Solution
emnoc
Esteemed Contributor III

I think you should whitelist it. Here's why the;   ip ratings lookups that the fortigate does over  UDP53 are NOT really DNS formatted packets. So any standard IPS will break or worst block ( if enabled ) on these packets. Read this and how a cisco ASA inspect deemed the  fortimail queries are not DNS formatted & a method I built to get around this.

 

 http://socpuppet.blogspot.com/2013/12/a-cisco-asa-breaking-fortimail-why.html

[link=http://socpuppet.blogspot.com/2014/01/followup-to-cisco-asa-breaking.html] http://socpuppet.blogspot...isco-asa-breaking.html[/link]

 

 

It's a bummer that fortinet choose to use a well-known port and I bet other application awared firewalls or IPS will also generate alerts or cause problems. So just whitelist/exemption the  source_ip_addresss that the fortimail uses.

 

NOTE: If you do a pcap of the dns traffic from the fortimail, you will find other tools failures to decode these datagrams also

PCNSE 

NSE 

StrongSwan  

View solution in original post

3 REPLIES 3
emnoc
Esteemed Contributor III

I think you should whitelist it. Here's why the;   ip ratings lookups that the fortigate does over  UDP53 are NOT really DNS formatted packets. So any standard IPS will break or worst block ( if enabled ) on these packets. Read this and how a cisco ASA inspect deemed the  fortimail queries are not DNS formatted & a method I built to get around this.

 

 http://socpuppet.blogspot.com/2013/12/a-cisco-asa-breaking-fortimail-why.html

[link=http://socpuppet.blogspot.com/2014/01/followup-to-cisco-asa-breaking.html] http://socpuppet.blogspot...isco-asa-breaking.html[/link]

 

 

It's a bummer that fortinet choose to use a well-known port and I bet other application awared firewalls or IPS will also generate alerts or cause problems. So just whitelist/exemption the  source_ip_addresss that the fortimail uses.

 

NOTE: If you do a pcap of the dns traffic from the fortimail, you will find other tools failures to decode these datagrams also

PCNSE 

NSE 

StrongSwan  

Holy

Thank you i whitelistet Fortimail, but it  strange that fortinet do it that way.

 

anyway thanks

 

emnoc wrote:

I think you should whitelist it. Here's why the;   ip ratings lookups that the fortigate does over  UDP53 are NOT really DNS formatted packets. So any standard IPS will break or worst block ( if enabled ) on these packets. Read this and how a cisco ASA inspect deemed the  fortimail queries are not DNS formatted & a method I built to get around this.

 

 http://socpuppet.blogspot.com/2013/12/a-cisco-asa-breaking-fortimail-why.html

[link=http://socpuppet.blogspot.com/2014/01/followup-to-cisco-asa-breaking.html] http://socpuppet.blogspot...isco-asa-breaking.html[/link]

 

 

It's a bummer that fortinet choose to use a well-known port and I bet other application awared firewalls or IPS will also generate alerts or cause problems. So just whitelist/exemption the  source_ip_addresss that the fortimail uses.

 

NOTE: If you do a pcap of the dns traffic from the fortimail, you will find other tools failures to decode these datagrams also

NSE 8 

NSE 1 - 7

 

Fahad
New Contributor III

emnoc is wright, i keep facing the same issue whenever there is an cisco ASA behind the fortigate, try to exclude the dns traffic as emnoc instructed.

FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.