Security teams may report suspicious activity during a Network Flow Analysis (NFA) Harvester or Console upgrade. Specifically, alerts may trigger when the installer invokes a temporary batch script (executeScriptTmp0.bat) that connects to external IP that belongs to Akamai Technologies over port 80

All Supported NFA versions

The connection is part of the installer’s certificate validation process. The target IP hosts a CAcert repository, which the installer uses to verify if certificates remain trustworthy. This action is intended to prevent the use of compromised or fraudulent certificates during the upgrade.

This is expected behavior and does not represent a security gap.

NOTE: If the specific IP that is contacted is required, contact Broadcom Support by providing this KB number reference.