Fortinet Question - IP and Ports being reported to security systems

deanwebb · April 08, 2021, 09:24:55 AM

Yo, Wintermute!

We're seeing a situation in which Fortinet firewalls are reporting IP addresses and/or open ports on devices where there's no host at the IP address and no such open port on the device. The common factor is a Fortinet firewall in the path. Is there any setting on the Fortinet that we should check to modify/stop the behavior?

wintermute000 · July 06, 2021, 07:34:32 AM

can you be more specific about Fortinet firewalls reporting IP addresses / open ports? What exactly is the report or screen or output you're seeing?

deanwebb · July 07, 2021, 09:48:30 AM

This would be reporting via ARP tables and/or responses to NMAP scans.

Otanx · July 07, 2021, 11:53:22 AM

sounds like proxy arp is enabled.

-Otanx

wintermute000 · July 12, 2021, 04:15:35 AM

I still don't get what its 'reporting'. The FW isn't running NMAP scans or anything like that?
If you mean that when its responding, then yep proxy ARP because theres a VIP or NAT etc.

deanwebb · July 12, 2021, 01:03:59 PM

Responding, so I'll check on the proxy ARP.

Fortinet Question - IP and Ports being reported to security systems

deanwebb

wintermute000

deanwebb

Otanx

wintermute000

deanwebb