Solved

Fortigate alerts

Posted on 2014-04-24
6
837 Views
Last Modified: 2014-05-18
Hi Experts,

I have some alerts sent from my firewall fortigate 80c.
The alert is :
Message meets Alert condition
date=2014-04-24 time=16:41:19 devname=WRWOHAB_DKG3_MASTER device_id=FG200B3912611717 log_id=0022000003 type=traffic subtype=violation  pri=warning status=deny vd="root" src=10.1.4.29 srcname=10.1.4.29 src_port=63439 dst=23.55.226.116 dstname=23.55.226.116 dst_country="United States" src_country="Reserved" dst_port=80 service=HTTP proto=6 app_type=N/A duration=0 rule=58 policyid=58 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name="N/A" shaper_rcvd_name="N/A" perip_name="N/A" vpn="N/A" vpn_type=UNKNOWN(65535) vpn_tunnel="N/A" src_int="port14" dst_int="port16" SN=190684789 app="N/A" app_cat="N/A" user="N/A" group="N/A" msg="N/A" carrier_ep="N/A" profilegroup="N/A" subapp="N/A" subappcat="N/A"

Can you help me with this ?
I want to know what kind of traffic this is.
0
Comment
Question by:Eprs_Admin
  • 4
  • 2
6 Comments
 
LVL 11

Accepted Solution

by:
Miftaul earned 500 total points
ID: 40020443
http traffic to 23.55.226.116  is blocked from source host at IP address 10.1.4.29.

This is due to your firewall rule 58 which you created. Did you set any Content Filtering or GeoIP on your Fortigate.
0
 

Author Comment

by:Eprs_Admin
ID: 40026651
Yes I did this filters.
But for me it is not clear which application or service want to connect to this IP.
0
 
LVL 11

Assisted Solution

by:Miftaul
Miftaul earned 500 total points
ID: 40026866
We need to check the host (10.1.4.29) to find which service used port 63439.

We could use packet filter on the Fortigate or see application flow monitor.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:Eprs_Admin
ID: 40026887
which tool I can use as application flow monitor?
Can I check this remote too ?
0
 

Assisted Solution

by:Eprs_Admin
Eprs_Admin earned 0 total points
ID: 40029686
ok now I have tested some more.
we opened a site like : www.diablo-3.net
Here is a lot of advertisment and in the bottom of the browser I could see something loading : js.adscale.de and some other sites loaded in the background.

With netsat -o -t I hava checked the connections and the PID.
The PID was always my AVP from Kaspersky, this the webcontrol.
If you don´t have webcontrol enabled, the PID is always your browser.

Now I know it has to do with ads and all the popups on the sites.
But which data wants to be uploaded from my machine as source ?
Is it cookie data ?
0
 

Author Closing Comment

by:Eprs_Admin
ID: 40073019
I selected also my statement, because here is the detailed explanation why the blocks are coming up.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Tagging ports on a managed switch 6 50
Does Cisco ASA 5506-X have full dmz capabilities 3 36
Office 365 setting for security 4 62
Intrusion detection 20 56
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
A customer recently asked me about anti-malware and the different deployment options available for his business. Daily news about cyberattacks, zero-day vulnerabilities, and companies that suffered a security breach made him wonder if the endpoint a…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now