Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 5255 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Appliance access

NoName NoName2

Hello,

what exactly does "Appliance Access" mean.

I see that again and again in the log of the Sophos XG.

This is about the NTP port or the ports 137, 68, 67.

How do I best deal with these ports.

I found a workaround for the NTP port, but the message "Appliance Access" is displayed again.

Does anyone have an idea for that?

greeting



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    Moving this thread to Sophos(XG) firewall.

    Port 137 is for the NetBIOS traffic. Can you please share the snapshot of the events with ports 67 & 68?

  • 0

    These are usually broadcasts arriving on the XG (as on any other device in the network) and as XG is not listening for Windows Filesharing Port 137 and others it is detecting it as "appliance access". I find this description in the logs also a bit confusing but I can understand it from a technical perspective.

    Something like "broadcast blocked" may have been clearer.

  • 0 in reply to FormerMember

    Hi,

    I have logged this issue in previous threads and still see it. Sometimes the device that is requesting the DHCP address is identified other times there is not device in the logviewer entry. Further the device that is being rejected has a static IP address, but does a release and renew every 10 minutes after it has posted the latests data to the server.

    Port 137 means you have MS protocols active on your network which are broadcasting and the XG rejects them.

    ian

  • 0 in reply to FormerMember

    Hello,

    which snapshot do you mean exactly?

    From the log view?

    A screenshot of the protocol?


    Currently I can also see that some clients repeatedly run the NetBios port 137.

  • 0 in reply to LHerzog

    What does it mean exactly? Do I have to release port 137 now. I haven't quite understood that yet.

    greeting

  • 0 in reply to NoName NoName2

    Hello,
    a broadcast is a packet send to everyone within the network segment.
    So to the firewall too. The firewall handles this packet like an packet send to the firewall-IP. Therefore, you see "Appliance Access".  This Broadcast IP may be 192.168.11.255.
    Because there is no service at the firewall which "waits" for this packet, the firewall will drop it.
    Port 137 is used by Windows devices. There is nothing you have to open at the firewall.

  • 0

    Everything is probably working properly. If you are seeing appliance access denied, this is usually random machines on the net probing your network (your public IP address, the IP address of your firewall) by sending packets to a port to see if a service is running. The firewall appropriately drops them. The particular ports are usually tied to a service where there are (or we’re at one point) vulnerabilities on some machines/OS’s

    The other time I see this is machines on my guest network sending broadcast messages to address x.x.x.255. Again, the firewall drops the packet appropriately.

    No action needed on your part, if that’s what’s happening.