Wednesday, October 24, 2018

Network Scans displaying IP addresses that do no exist

Using IP scanning software or monitoring tool (nmap, angry ip scanner, darktrace, beyond trust, etc) will display IP addresses that do not exist within the network. What is strange is that it displays all IP addresses in the range of the scan. For instance, if we scanned 172.16.1.1 - 172.16.1.254, it will display all active IPs from 1-254.

Our network is sort of a hub and spoke network with SD-WAN (from velocloud) implemented at all of our locations. Our main headquarters houses all the servers, so the other remote sites will be coming through to our main site. Since our ISP (TPx) doesn't allow us to control what is on the SD-WAN, we have a fortigate firewall installed behind the SD-WAN at our HQ. The other remote sites do not have a firewall in placed, just SD-WAN. If we did a network scan from a remote location to another remote location, the scan works perfectly. However, the issue only arises when scanning is between one HQ and another remote site (both HQ to remote and remote to HQ).

Our fortigate simply has an allow all rules from all other remote sites to be allowed into the HQ network. There is no special configuration at the other remote SD-WAN sites, other than having a static route at the HQ site of our main IP address (10.10.x.x) so that other remote site knows how to communicate with our main site.



No comments:

Post a Comment