Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 817 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Ausgehender Traffic von UTM WAN 443 auf Shodan IP ?

ManuelKarl

Hallo,

folgende Thematik: Bei einem Kunden habe ich Meldungen bzgl. gedroppter Ziel-IP 71.6.199.23 (einstein.census.shodan.io).

Die Quelle 192.168.2.100 ist die WAN-IP im "Transitz-Netz" zum T-Com Router.

Frage: Warum initiiert hier die Sophos selbst Sessions in Richtung Shodan? Werden zwar verworfen (default Drop, da keine Regel), aber dennoch: Wie werden diese initiiert?

Danke schonmal... :-)

Manuel



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Thank you for providing the screenshot of the packet capture. It appears that the firewall is dropping RST packets.

    "When a FIN or RST is seen, the connection tracking system will close down the session. As a result, any packet that comes across the connection tracking system from the connection that was recently terminated will be Default Dropped. This explains why the responses sent to these packets are dropped. The packets can be dropped as the intended recipient won't need them and they are not transmitting any data."

    Check out the following KBA for more info: Sophos UTM: Firewall log shows dropped packets with tcpflags='ACK RST' or 'ACK FIN'

  • 0 in reply to FormerMember

    Thank for replying it's helped me to. I searched my problem here I found the solution. Sometimes it's better to look for the problem in the group rather than posting questions over again and again in the group. 

Reply Children
No Data
Unfiltered HTML