Sophos XG reports that I've got attacks coming from my NAS

Hi,

what was it attacking? The attacks could be being seen because there is a missing rule or port the NAS thinks it should be able to access and sent a large number of packets in a short time which triggered the IPS detection.

Ian

Yeah, my NAS may be accessing something to download from the internet.  It's a download station.  

I only have a default firewall policy as of the moment.  Lan - Any - All the time .    Wan - Any -  Any

Do I need a LAN - LAN policy?

Hi Jang430,

you shouldn't need a LAN to LAN rule because the traffic is coming in from external.

Use logviewer and the IP filter to see what is causing the reports. You might need to check the web page in logviewer as well.

Ian

Filtering out the IP address says Firewall Rule 0, Destination IP is 23.239.11.213, seems to be a public IP?  Says Denied.

Hi jang430,

Rule 0 is the default drop if there is something wrong with the packet/connection. Maybe the site is dropping out causing the XG to see the incoming connection as not related to any current session.

Ian

Hi jang430,

Rule 0 is the default drop if there is something wrong with the packet/connection. Maybe the site is dropping out causing the XG to see the incoming connection as not related to any current session.

Ian

OK.  Not sure what to do, or is there anything to do.

Hi jang430,

do an IP search to see what that IP address is used by/for and that will give you an idea if the 'attack' is real or just a slow responding server.

Ian

Thanks Ian, already did some.  Most of them valid.  Will research further.

Hi jang430.

you might like to search the KBAs for information on how to handle the error packets eg reset tcp or unable to associate a session with a connection.

Ian

ok.  I will look into it.