I recently came across an internal port scanner that was scanning ports on our Sophos XG firewall. Somehow this scanner got on a server. I was able to find this when I got an alert that there was a failed SSH authentication. There was not an actual authentication attempt, as the username was "-" and no password. I looked at the logs and noticed that a bunch of common ports were being scanned on our XG. Does anyone know if there is a setting in Sophos XG to detect and alert when there is port scanning coming from a private IP?
This thread was automatically locked due to age.
