DescriptionWhen scanning some IP addresses you may receive a response even if the IP address does not exist.
ScopeThis can happen if traffic flows match a firewall policy which has proxy-based UTM profiles enabled.
In
this case, when the FortiGate receives packets on inspected ports, FortiGate will attempt to
establish the TCP connection with the client first before attempting to
connect to the destination IP address.
SolutionIf you want to change this behavior, you can use one of the following options:
- Refine the policy so that it only has proxy-AV enabled for specific IP addresses.
- Use 'inspect-all' rather than a specific port in the profile-protocol-options so that no proxying will be done until a successful connection is established with the destination.
- If using FortiOS 5.2, use flow-based UTM profiles.