Hi Community!
I've set up a blackhole DNAT (https://support.sophos.com/support/s/article/KB-000038943?language=en_US) and added a firewall rule:
I can see a lot of IP going to the dummy address and being blocked (on TCP443 it's rejected with 403 actually...but nvm) but I can see IP-s that are getting allowed like this:
Firewall messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="13"
fw_rule_id="14" --> Block rule
nat_rule_id="2" --> Blackhole DNAT
policy_type="1" user="" user_group="" web_policy_id="2" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id=""
ether_type="Unknown (0x0000)" --> Er, what?
bridge_name="" bridge_display_name="" in_interface="PortB" in_display_interface="PortB" out_interface="" out_display_interface="" src_mac="XX:XX:XX:XX:XX:XX" dst_mac="YY:YY:YY:YY:YY:YY"
src_ip="X.X.X.X" --> Definitely on the "Blocked IP list"
src_country="XX" dst_ip="Y.Y.Y.Y" dst_country="YY" protocol="TCP" src_port="21878"
dst_port="443" --> Service is in the Blackhole DNAT services
packets_sent="47" packets_received="57" bytes_sent="2672" bytes_received="73780" src_trans_ip="" src_trans_port="0" dst_trans_ip=""
dst_trans_port="3128" --> Web proxy port??? What is this doing here?
src_zone_type="WAN" src_zone="WAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="2504901568" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"
Any ideas? (SFVH (SFOS 18.0.3 MR-3))
This thread was automatically locked due to age.
