topic Re: TCP and UDP portscans in Network Security

TCP and UDP portscans

ethutchinson — Thu, 02 Oct 2025 12:24:48 GMT

I have two FTD 1140ns managed by an FMCv. Both are running 7.6.2. I enabled portscannig in detection mode some time ago. I noticed quite a few of my local IP addresses scanning out to Outside (public) addresses. I know this is a nubie type of question but is this normal behavior? I can understand the inside IP addresses scanning because of the OS, programs installed, etc.and I can know I can ignore outgoing scans from these internal subnets. Could this amount of portscans be pointing to an issue?

Any ideas or am I overthinking this.

Re: TCP and UDP portscans

balaji.bandi — Thu, 02 Oct 2025 15:09:33 GMT

Why would an internal IP scan the internet world? This looks suspicious until you have a security team investigating any issues or scanning for requirements.

If not, you need to examine the endpoint; why is it scanning over the internet?

Even if local scanning takes place, they should only use RFC 1918 addresses for scanning, not the Internet range.

Re: TCP and UDP portscans

ethutchinson — Thu, 02 Oct 2025 17:07:39 GMT

Balaji

Thanks for the response. An example of this is one of my hosts did a portscan when accessing google.com. I can see the Intrusion event for this. Maybe my port scan detection is misconfigured?

Your thoughts?

Re: TCP and UDP portscans

balaji.bandi — Thu, 02 Oct 2025 18:06:06 GMT

not sure we need to know more information and how this was configured.