This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Verständnisfrage zu "Rule #2"

Hallo zusammen,

ich beobachte gerade eine (kleine) SYN-Flood-Attacke und versuche zu verstehen, wie die SG-Firewall damit umgeht bzw. wie die Datenpakete die Firewall durchlaufen und warum verschieden Sicherheitsmechanismen greifen (müssen).
Das ist grundsätzlich hier im Forum in den "Recommended Reads > Rule #2" beschrieben, dazu jedoch folgende Fragen:

- "In general, a packet arriving at an interface is handled only by one of the below"
Das würde bedeuten, das ein Paket, welches beim Country-Blocking akzeptiert wird (da das Land nicht geblockt wird), die folgenden Stationen wie IPS und FW nicht mehr durchläuft? Das kann sicher nicht richtig sein.

- Im IPS-Protokoll sehe ich zu der laufenden SYN-Flood-Attacke IP-Adressen aus geblockten Ländern.
Wieso muss IPS überhaupt greifen, wenn Datenpakete bereits beim Country-Blocking verworfen werden sollten?

Danke im voraus für eine kurze Klärung!



This thread was automatically locked due to age.
Parents
  • Hello,

    With regards to your findings on the Country which is supposed to be blocked on UTM Country blocking, could you verify the IP and country on this lookup resource?: https://www.maxmind.com/en/geoip-demo

    UTM's GeoIP uses Maxmind, kindly see if it matches the same on the results. 

    Many thanks for your time and patience and thank you for choosing Sophos

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hi Raphael,

    perhaps i have written wrongly so that the question is misunderstood.

    I have enabled country blocking (+logging in the firewall).
    I recognized a lot of blocked connections - OK so far, the country of the IP was set to "block".

    But i was wondering that the same IP - already blocked by country blocking - was listed in the IPS-protocol cause of "SYNC-Flood".

    For my understanding, country blocking should be enough to block any unwanted connections in this case. Why is IPS also getting the packets?

Reply
  • Hi Raphael,

    perhaps i have written wrongly so that the question is misunderstood.

    I have enabled country blocking (+logging in the firewall).
    I recognized a lot of blocked connections - OK so far, the country of the IP was set to "block".

    But i was wondering that the same IP - already blocked by country blocking - was listed in the IPS-protocol cause of "SYNC-Flood".

    For my understanding, country blocking should be enough to block any unwanted connections in this case. Why is IPS also getting the packets?

Children
No Data