|
Posted by Michael J. Pelletier on March 19, 2005, 11:37 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Andreas Schweighofer wrote:
> At my working-place there are two networks. One network is connected
> to the internet through a linux-firewall and the other net is
> connected to the internet over a fortigate-firewall (fortigate 50 or
> fortigate 60).
> I administrate the linux-firewall and I have no rights on the
> fortigate-firewall, I even don't know which model it is exactly -
> the only think I know is the mac-address and the price - therefore
> I think its a fortigate 50 or 60.
>
> But I see some strange thinks in the log-file of my linux-firewall
> coming from the fortigate-box.
> Both machines - my linux-firewall and the fortigate-box are
> in the same public net.
> For example my linux-box has the IP-Address 190.30.30.5
> in the net 190.30.30.0/24 and the fortigate-box has 190.30.30.6.
> So I can see osi2 and osi3 broadcasts.
> (The Ip-Addresses are examples and not the real ones).
>
> I see a large amounts of arp-requests coming
> from this fortigate machine:
>
> arp who-has 217.12.10.99 tell 190.30.30.6
> arp who-has 193.80.200.160 tell 190.30.30.6
> arp who-has 193.80.200.135 tell 190.30.30.6
> arp who-has 12.158.80.10 tell 190.30.30.6
> arp who-has 195.128.164.3 tell 190.30.30.6
> arp who-has 193.201.52.83 tell 190.30.30.6
> arp who-has 195.3.96.71 tell 190.30.30.6
> arp who-has 64.12.164.248 tell 190.30.30.6
> arp who-has 212.227.40.104 tell 190.30.30.6
> arp who-has 62.178.215.241 tell 190.30.30.6
> ...
This is strange. Usually you see more firewall-to-default router and local
subnet ARPs. These are strange...Do they have many subnets behind them?
>
> strange, isn't it?
> the fortigate-box asks for osi2-addresses of machines,
> the people behind the firewall try to contact!
>
> What I now whould like to understand:
> - I this a feature of the fortigate-box (perhaps because the
> box is under heavy load - fortigate 50 & 60 are small business
> firewalls and this box has to serve about 40-60 clients)
> - Or is this because of misconfiguration?
> (perhaps: fortigate has an ethernet-port for inside, outside and
> dmz - perhaps they (the admins!) have plugged in the
> cable to the wrong port - dmz? and not in the outside port?)
> - Has anybody seen the same and knows the reason!
>
> What I else see in my firewall-log are pakets with
> source 0.0.0.0 and 255.255.255.255, udp, SPT 68, DPT 67, TTL 128
> - okay dhcp-request coming from a windows maschine.
> But I also see the mac-address of the asking machine.
> (I asked the fortigate admins, if the have a machine
> with this mac-address in their inner-net and they said "yes")
> I now wonder why the fortigate is routing this packet?
> A packet with source 0.0.0.0 and dest 255.255.255.255 - with
> the original mac??
The only way I could think of to explain this is if they are doing a
bridging firewall setup. I have a cable modem and do the same thing with a
FreeBSD fireall. I do this because my static IP is on a different subnet
than my dynamic IP addresses (Static = My server and Dynamic are my
desktops)...So in this setup you will see the DHCP packets with the
original MAC addresses...
> What is going on there??
>
> thanks very much for any reply
>
> andi
| 
XML site map