Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 627 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Rule for logging all tries of port scanning on WAN port of Sophos XG

shando1987

Hello,

I'd like to ask is it possible to create Rule that logs all IP addresses that tries port scanning and  connections on closed ports on WAN port of Sophos XG? 



This thread was automatically locked due to age.
  • 0

    You can do this in Central Firewall Reporting with XDR: https://community.sophos.com/intercept-x-endpoint/i/data-lake/port-scan-detection-using-sophos-firewall-data-in-the-data-lake

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Is this the only possible way? The firewall is not connected to Sophos Central and the policy of the company that uses the firewall does not allow it.

  • 0 in reply to shando1987

    So you are concerned about Port Scanning but are not using any cloud services? Because if you would be concerned about cloud security, you should close every port on your firewall as well, as this could potentially leak data as well. 

    __________________________________________________________________________________________________________________

  • 0

    I run on an XGS87, which it too small to support reporting, so I do this in Sophos Central but if you can translate to your situation. I have a Report:

    Component = Appliance Access
    Source IP != 0.0.0.0

    In the table part of the report, I select Destination Port and Protocol, so I can see what ports are being scanned. The bar chart at the top of the page shows which IP addresses, but you could change the table columns to look at. I exclude IP address 0.0.0.0 because it clutters things (not sure where it's coming from, I assume my ISP). Also exclude several other IP addresses (again, I think my ISP or well-known, "white hat" scanners) as well to declutter the results.

    The bottom line is that Appliance Access is going to show you disallowed traffic to the firewall itself, which means not otherwise forwarded.

    If you literally mean a Firewall rule, not a Log report, you could perhaps create a set of blackhole DNATs on common WAN ports that you don't (otherwise) open but that will be scanned (22, 23, 80, 443, 8080) and then put those rules at the top and log them. This is probably a bit too clever.

Unfiltered HTML