Invalid Traffic Denied

Hi Can carmack 

Could you please confirm the status of PING for the WAN interface?

Please go to System >> Administration >> Appliance Access

What is the IP address of your WAN Interface?

As per the logs ICMP traffic is receiving on Port B from WAN side.

For more details on Invalid Traffic, please refer to the below article. 

https://community.sophos.com/kb/en-us/131754

Note: It is only critical to worry about Invalid traffic entries if there is a problem of disconnection or inaccessibility.

Hi,

Ping is disabled for Wan,Dmz for security.

Admin>appliance access>
Lan
Wan
Dmz
Vpn
Wifi

Is this a right idea?
Got log in Every seconds.

Hi Can carmack 

For security reasons, you may disable ping for WAN and DMZ zone.

As per the logs, traffic from 212.156.63.157 coming from the WAN zone and Cyberoam denied the packets as per the configuration.

You may take access of SSH console of the Cyberoam and login to console access and execute the command to see the request from the IP.

tcpdump 'host 212.156.63.157, if there are many request, you can notify your ISP to block the traffic from this specific IP in your WAN link

Hi Can carmack 

For security reasons, you may disable ping for WAN and DMZ zone.

As per the logs, traffic from 212.156.63.157 coming from the WAN zone and Cyberoam denied the packets as per the configuration.

You may take access of SSH console of the Cyberoam and login to console access and execute the command to see the request from the IP.

tcpdump 'host 212.156.63.157, if there are many request, you can notify your ISP to block the traffic from this specific IP in your WAN link

Hi,

As instructed these are the results;

Hi Can carmack 

Are you familiar with the IP 212.156.63.157?

Is it your WAN IP?

Is the IP .157 or .158 configured as your gateway and added in Failover condition under WAN Link manager?

You can create WAN to LAN firewall rules and create a WAN IP host-based firewall rule to deny the traffic.

Sophos XG is blocking the request. So you have to identify the traffic is legitimate or not and apply the filter as needed.

Hi Keyur 

This is Cyberoam box. Here is the WAN settings page.

for .157 ip here is the setting;

GATEWAY menu;

Two of them is set as ACTIVE
None of them as backup or failover setting applied.

The wan with problematic ip in system;

Hi Can carmack 

The ICMP traffic generated for .157 from .158 is correct and you do not have to worry about anything.

As per the failover rules configured for WAN interface, The IP will keep pinging the gateway IP configured to verify the gateway status (Up and Down), If the configured IP will not be reachable for a configured time, It will declare the gateway as down, you can modify failover rules to some other IP as per your requirement such as 8.8.8.8.

The given article has Failover details, please check - https://community.sophos.com/kb/en-us/130649#GF

Hi,

 2 Wan connected to device. 2 of them is in ACTIVE mode,
There is no failover configuration applied.

Just this one define some settings for failover. maybe its related to the problem

Making 60 to 0 fix it?

Hi Can carmack 

As both the gateway configured as active, Gateway failover timeout value change does not require.

As I have explained the mechanism in the previous post, The status of the gateway Green (Up) Red (Down) to determine it, it will use ping or whatever condition is configured.

I assure you that it is a legitimate behavior and you do not require to take any action upon it.

So two of them pinging each other
or pings are coming from WAN's ISP ?

Its disturbing and creates logs for nothing.

Thanks

Hi Can carmack 

As I have shared the details in the previous post, it will work as expected but you may contact technical support to verify it further.

Thank you Keyur 

Where can we connect Cyberoam support?

Hi Can carmack 

Please visit - https://www.cyberoam.com/contactsupport.html

Please provide them with this community thread so they have certain information about the query.