Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
133
Views
1
Helpful
3
Replies

TCP and UDP portscans

ethutchinson
Level 3
Level 3

‎10-02-2025 05:24 AM

I have two FTD 1140ns managed by an FMCv. Both are running 7.6.2. I enabled portscannig in detection mode some time ago. I noticed quite a few of my local IP addresses scanning out to Outside (public) addresses. I know this is a nubie type of question but is this normal behavior? I can understand the inside IP addresses scanning because of the OS, programs installed, etc.and I can know I can ignore outgoing scans from these internal subnets. Could this amount of portscans be pointing to an issue?

Any ideas or am I overthinking this.

0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎10-02-2025 08:09 AM

Why would an internal IP scan the internet world? This looks suspicious until you have a security team investigating any issues or scanning for requirements.

If not, you need to examine the endpoint; why is it scanning over the internet?

Even if local scanning takes place, they should only use RFC 1918 addresses for scanning, not the Internet range.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ethutchinson
Level 3
Level 3

‎10-02-2025 10:07 AM

Balaji

Thanks for the response. An example of this is one of my hosts did a portscan when accessing google.com. I can see the Intrusion event for this. Maybe my port scan detection is misconfigured?

Your thoughts?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to ethutchinson

‎10-02-2025 11:06 AM

not sure we need to know more information and how this was configured.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card