Fortigate alerts

Hi Experts,

I have some alerts sent from my firewall fortigate 80c.
The alert is :
Message meets Alert condition
date=2014-04-24 time=16:41:19 devname=WRWOHAB_DKG3_MASTER device_id=FG200B3912611717 log_id=0022000003 type=traffic subtype=violation  pri=warning status=deny vd="root" src=10.1.4.29 srcname=10.1.4.29 src_port=63439 dst=23.55.226.116 dstname=23.55.226.116 dst_country="United States" src_country="Reserved" dst_port=80 service=HTTP proto=6 app_type=N/A duration=0 rule=58 policyid=58 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name="N/A" shaper_rcvd_name="N/A" perip_name="N/A" vpn="N/A" vpn_type=UNKNOWN(65535) vpn_tunnel="N/A" src_int="port14" dst_int="port16" SN=190684789 app="N/A" app_cat="N/A" user="N/A" group="N/A" msg="N/A" carrier_ep="N/A" profilegroup="N/A" subapp="N/A" subappcat="N/A"

Can you help me with this ?
I want to know what kind of traffic this is.
Eprs_AdminSystem ArchitectAsked:
Who is Participating?
 
MiftaulConnect With a Mentor Commented:
http traffic to 23.55.226.116  is blocked from source host at IP address 10.1.4.29.

This is due to your firewall rule 58 which you created. Did you set any Content Filtering or GeoIP on your Fortigate.
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
Yes I did this filters.
But for me it is not clear which application or service want to connect to this IP.
0
 
MiftaulConnect With a Mentor Commented:
We need to check the host (10.1.4.29) to find which service used port 63439.

We could use packet filter on the Fortigate or see application flow monitor.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Eprs_AdminSystem ArchitectAuthor Commented:
which tool I can use as application flow monitor?
Can I check this remote too ?
0
 
Eprs_AdminConnect With a Mentor System ArchitectAuthor Commented:
ok now I have tested some more.
we opened a site like : www.diablo-3.net
Here is a lot of advertisment and in the bottom of the browser I could see something loading : js.adscale.de and some other sites loaded in the background.

With netsat -o -t I hava checked the connections and the PID.
The PID was always my AVP from Kaspersky, this the webcontrol.
If you don´t have webcontrol enabled, the PID is always your browser.

Now I know it has to do with ads and all the popups on the sites.
But which data wants to be uploaded from my machine as source ?
Is it cookie data ?
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
I selected also my statement, because here is the detailed explanation why the blocks are coming up.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.