Advanced Threat Protection C2/Generic-A


I'm getting this alert from the UTM 9 firewall:

Advanced Threat Protection


A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.


Details about the alert:


Threat name....: C2/Generic-A


Time...........: 2019-04-10 07:49:07

Traffic blocked: yes


Source IP address or host:


Here is the ATP Entry:

2019/04/aptp-2019-04-09.log.gz:2019:04:09-23:39:29 utmho ulogd[1022]: id="2022" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" action="drop" fwrule="63001" initf="eth4" threatname="C2/Generic-A" srcmac="00:10:36:00:59:09" dstmac="00:1a:8c:58:b0:74" srcip="" dstip="" proto="6" length="40" tos="0x00" prec="0x00" ttl="60" srcport="5060" dstport="59643" tcpflags="ACK RST"        


I'm not sure what to make of it as neither IP address is a private address on the network and it was detected in eth4 which is the ISP.

The other information that is making me look at this more seriously is the dstip has been banging against the firewall for about 30 days with no success.


I'm hoping someone can help me unravel what/why is going on.

  • I am seeing the same thing with a source of our ISP block of address to destination    Anyone have any information?

  • In reply to Donna Hoffman:

    I'm seeing the same as well.  Our external wan address as the source and as the destination

  • In reply to PeterWeston:

    Hi Peter and Donna and welcome to the UTM Community!

    According to, reverse resolves to an FQDN on the domain.  You can email to ask to stop scanning your public subnets.

    Cheers - Bob

  • In reply to BAlfson:

    Hey Bob, 

    we have the same ATP messages from the same IP. Seems like is doing a massive SCTP scanning. 

    What I do not get, and hopefully you can help me to understand,... why do I get an ATP message from the firewall with my ISP Router and my Network- and Broadcast address as source? 

    How I understand ATP is, that it blocks if a local machine tries to connect to a malicous IP. 

    Here it seems like the questionable IP is doing a SCTP scan...from the outside... Why does the firewall react like it does? 

    Maybe it is obvious, but right now I am a bit lost.


  • In reply to stu:

    Hallo Stu - your first post here - welcome to the UTM Community! is not a threat.  They scan the internet to provide statistics about how many ports are open - that's all I know about them.

    The firewall responds to the scan, but ATP blocks its response because, for a reason I ignore, this IP is on the list of malicious actors.  See Rule #2.1 in Rulz.

    Cheers - Bob

  • In reply to BAlfson:


    i've got the same alerts on a customer's UTM.

    I've send an email to and let you know if they exclude the ip range.