Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
unknown1020
New Contributor III

Created on ‎07-26-2023 01:42 PM

malicious connections from the fortigate

friends good day a question:
In our review of malicious connections from the internal network, we observed that there are many malicious connections from the fortigate IP. 

Could you help me with your comments, why is this happening?

currently the fortigate has a vulnerable version and I don't know if it might be related to this.

Labels:
935
0 Kudos
1 Solution
srajeswaran
Staff
Staff
In response to unknown1020

Created on ‎07-27-2023 03:47 AM

Yes, source IP will be of the Firewall if NAT is enabled.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

View solution in original post

858
0 Kudos
6 REPLIES 6
mpandya
Staff
Staff

Created on ‎07-26-2023 08:45 PM

Hi ,

Could you kindly elaborate on the issue?

 

  1. where is discovered
  2. Any FortiGate malicious detection
  3. Any security profile applied to policy

 

 

 

907
0 Kudos
chauhans
Staff
Staff

Created on ‎07-26-2023 11:20 PM

Hi @unknown1020 

As I understand from your query, you are observing malicious traffic from Fortigate IP.

+ May I know where is the IP located in Fortigate Firewall?
+ Could you please share security event logs and forward traffic logs with respect to the Malicious IP?
+ Also, you may create Local in policies to block the malicious IP by following below doc. article.
https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/363127/local-in-policies

Thanks,

@chauhans 

899
0 Kudos
srajeswaran
Staff
Staff

Created on ‎07-27-2023 12:31 AM

You may be hitting https://www.fortiguard.com/psirt/FG-IR-22-398 , can you check if you are seeing connections to below IPs?

Connections to suspicious IP addresses from the FortiGate:

188.34.130.40:444
103.131.189.143:30080,30081,30443,20443
193.36.119.61:8443,444
172.247.168.153:8033
139.180.184.197
66.42.91.32
158.247.221.101
107.148.27.117
139.180.128.142
155.138.224.122
185.174.136.20

More details on https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflo...

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

891
0 Kudos
asengar
Staff
Staff
In response to srajeswaran

Created on ‎07-27-2023 01:16 AM

Kindly share the malicious IP details and also the forward traffic logs filter with the malicious IP

Do confirm where the IP is configured on the firewall from which you are seeing the malicious connections.

 

Share the below output

dia sys session filter src x.x.x.x  

dia sys session list

 

Thanks

@bhishek
886
0 Kudos
unknown1020
New Contributor III
In response to asengar

Created on ‎07-27-2023 03:44 AM

hello, I discovered that the policy of the publication (vip) had the NAT enabled. So when nat is enabled, that causes the source ip to be nated by the firewall ip, right?

862
0 Kudos
srajeswaran
Staff
Staff
In response to unknown1020

Created on ‎07-27-2023 03:47 AM

Yes, source IP will be of the Firewall if NAT is enabled.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

859
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.