AnsweredHot!Is this normal behavior?

Author
Wilnel
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/21 06:39:12
  • Status: offline
2019/02/12 14:17:17 (permalink)
0

Is this normal behavior?

our antivirus guy will send me alerts from symantec. sometimes it gets these hits
[Somebody is scanning your computer. Your computer's TCP ports: 10000, 8910, 70, 32774 and 59906 have been scanned from xxx.xx.1.2.]   xxx.xx.1.2 is the firewall. If i put the host ip that is affected in the forwarded traffic in fortiview I do not see the event listed at the time. is this just some wild traffic from the firewall or could it be something to worry about?
#1
lobstercreed
Silver Member
  • Total Posts : 84
  • Scores: 15
  • Reward points: 0
  • Joined: 2018/11/28 14:57:58
  • Location: Sedalia, MO
  • Status: offline
Re: Is this normal behavior? 2019/02/12 14:21:15 (permalink)
0
Do you have active scanning turned on for the LAN interface?  This sounds like that feature.
#2
Wilnel
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/21 06:39:12
  • Status: offline
Re: Is this normal behavior? 2019/02/12 14:23:42 (permalink)
0
how do I tell? If it is on shouldn't it be hitting more than one pc?
#3
Wilnel
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/21 06:39:12
  • Status: offline
Re: Is this normal behavior? 2019/02/12 14:32:07 (permalink)
0
i do see active scanning is on
#4
lobstercreed
Silver Member
  • Total Posts : 84
  • Scores: 15
  • Reward points: 0
  • Joined: 2018/11/28 14:57:58
  • Location: Sedalia, MO
  • Status: offline
Re: Is this normal behavior? 2019/02/12 15:11:07 (permalink) ☼ Best Answerby Wilnel 2019/02/13 05:22:19
0
It might depend on the security profile of that PC.  Also, the firewall has to have Layer 2 adjacency to the device in question.  If there is another router in-between, it would not be able to scan those.  If Symantec is configured exactly the same on more than one PC in that network, I would think it would affect more than one, yes. 
The source address being the firewall though seems to indicate that it must be this though and not a random attacker from the Internet.  It would have the attacker's IP address if it was, right?
#5
Wilnel
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/21 06:39:12
  • Status: offline
Re: Is this normal behavior? 2019/02/13 05:23:12 (permalink)
0
I wonder why I cant see the traffic of the firewall scanning the pc.
#6
lobstercreed
Silver Member
  • Total Posts : 84
  • Scores: 15
  • Reward points: 0
  • Joined: 2018/11/28 14:57:58
  • Location: Sedalia, MO
  • Status: offline
Re: Is this normal behavior? 2019/02/13 10:12:16 (permalink)
0
Can't see it where?  In the logs?  I'm not sure what log you would expect to see it under if it's initiated by the FortiGate itself.  You could try turning that feature off and see if you continue to get any alerts from Symantec.
#7
Jump to:
© 2019 APG vNext Commercial Version 5.5