Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
preznik_FTNT
Staff
Staff

Created on ‎01-06-2015 10:34 AM

Article Id 191540

FortiGate is answering to non-existent IP addresses when scanning well known ports

Description
When scanning some IP addresses you may receive a response even if the IP address does not exist.

Scope
This can happen if traffic flows match a firewall policy which has proxy-based UTM profiles enabled.

In this case, when the FortiGate receives packets on inspected ports, FortiGate will attempt to establish the TCP connection with the client first before attempting to connect to the destination IP address.

Solution
If you want to change this behavior, you can use one of the following options:
  1. Refine the policy so that it only has proxy-AV enabled for specific IP addresses.
  2. Use 'inspect-all' rather than a specific port in the profile-protocol-options so that no proxying will be done until a successful connection is established with the destination.
  3. If using FortiOS 5.2, use flow-based UTM profiles.

3104
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.