Fortinet Community

Holy · ‎01-26-2015

Hello,

i have a FortiMail VM behind a FortiGateVM in a lab environment. all the DNS Request that goes through the Fortigate generates always the Same IPS Alert "DNS.Invalid.OPcode" its UDP: 53

it´s realy annoying cause i get all my logs full of this IPS Alerts.

Do you have any idea why that happens and hove to avoid that?

Thank you.

NSE 8

NSE 1 - 7

emnoc · ‎01-26-2015

I think you should whitelist it. Here's why the; ip ratings lookups that the fortigate does over UDP53 are NOT really DNS formatted packets. So any standard IPS will break or worst block ( if enabled ) on these packets. Read this and how a cisco ASA inspect deemed the fortimail queries are not DNS formatted & a method I built to get around this.

http://socpuppet.blogspot.com/2013/12/a-cisco-asa-breaking-fortimail-why.html

[link=http://socpuppet.blogspot.com/2014/01/followup-to-cisco-asa-breaking.html] http://socpuppet.blogspot...isco-asa-breaking.html[/link]

It's a bummer that fortinet choose to use a well-known port and I bet other application awared firewalls or IPS will also generate alerts or cause problems. So just whitelist/exemption the source_ip_addresss that the fortimail uses.

NOTE: If you do a pcap of the dns traffic from the fortimail, you will find other tools failures to decode these datagrams also

PCNSE

NSE

StrongSwan

View solution in original post

emnoc · ‎01-26-2015

I think you should whitelist it. Here's why the; ip ratings lookups that the fortigate does over UDP53 are NOT really DNS formatted packets. So any standard IPS will break or worst block ( if enabled ) on these packets. Read this and how a cisco ASA inspect deemed the fortimail queries are not DNS formatted & a method I built to get around this.

http://socpuppet.blogspot.com/2013/12/a-cisco-asa-breaking-fortimail-why.html

[link=http://socpuppet.blogspot.com/2014/01/followup-to-cisco-asa-breaking.html] http://socpuppet.blogspot...isco-asa-breaking.html[/link]

It's a bummer that fortinet choose to use a well-known port and I bet other application awared firewalls or IPS will also generate alerts or cause problems. So just whitelist/exemption the source_ip_addresss that the fortimail uses.

NOTE: If you do a pcap of the dns traffic from the fortimail, you will find other tools failures to decode these datagrams also

PCNSE

NSE

StrongSwan

Holy · ‎01-26-2015

Thank you i whitelistet Fortimail, but it strange that fortinet do it that way.

anyway thanks

emnoc wrote:
I think you should whitelist it. Here's why the; ip ratings lookups that the fortigate does over UDP53 are NOT really DNS formatted packets. So any standard IPS will break or worst block ( if enabled ) on these packets. Read this and how a cisco ASA inspect deemed the fortimail queries are not DNS formatted & a method I built to get around this.

http://socpuppet.blogspot.com/2013/12/a-cisco-asa-breaking-fortimail-why.html
[link=http://socpuppet.blogspot.com/2014/01/followup-to-cisco-asa-breaking.html] http://socpuppet.blogspot...isco-asa-breaking.html[/link]

It's a bummer that fortinet choose to use a well-known port and I bet other application awared firewalls or IPS will also generate alerts or cause problems. So just whitelist/exemption the source_ip_addresss that the fortimail uses.

NOTE: If you do a pcap of the dns traffic from the fortimail, you will find other tools failures to decode these datagrams also

NSE 8

NSE 1 - 7

Fahad · ‎01-26-2015

emnoc is wright, i keep facing the same issue whenever there is an cisco ASA behind the fortigate, try to exclude the dns traffic as emnoc instructed.

FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.

Fortinet Community

FortiMail generates DNS.Invalid.OPcode IPS Alerts all the time

News & Articles

Security Research

Company

Contact Us