I just revamped my SMB lab network sim over the weekend, and replaced a PaloAlto PA220 with a Fortigate 60F as my main router/firewall.
I also added a Cisco 3750 switch with VLANS for external/public, internal1, internal2 on the switch, and wired interfaces from Forti to switch vlans on the switch and ports a/b go to 2 wifi routers (bridged) for guest and homeWIFI. 2 vlans go to an Antsle EdgeLinux Hypervisor with some monitoring servers and SIEM. External VLAN on the switch is SPANned to an IDS SIEM. All traffic is inspected between nets with the Fortigate.
Problem is, now all of a sudden since i added the cisco switch (unsure if related but its the only change), when i do a deep Nmap scan, i get phantom replies for IP addresses that do not exist. The ports discovered are 113(tcp-ident), 2000(tcp-cisco-sccp), and 5060(tcp-sip). These devices do not exist. I have about 40 IP's on my network (per the Forti asset list and my knowledge of my net), however the SIEM, and a NMAP scan returns these listenting ports like they exist.
Nothing spectacular about the switch config its pretty basic. A couple vlans with IP address, and groups of ports assigned to the different segments. Bpduguard is disabled on anything that is not a pc, spanning-tree portfast is on all ports. Nothing odd in the logs. Things otherwise seem to work fine.
I cannot figure out why all these replies, it makes the siem very messy and i've spent about 30hrs this weekend on this, everything is mostly sorted out other than this new oddity.
Any ideas? I've been out of switching for a decade and its the only new thing when running asset scans, it did not do this when i just had the meraki and palo and 2 wifi routers.
EDIT: just ran nmap against a phantom IP, captured wireshark, looks like the fortinet is what is replying to these non-existend hosts on 2000 and 5060. The particular one i'm looking at doesnt even hit the Cisco switch, just direct from forti to the wifi router in bridged mode. I pulled the pcap into network miner for easier visibility. This is an odd thing that i've never seen before, why is my forti replying to these nmap scans?
No comments:
Post a Comment