Rule for logging all tries of port scanning on WAN port of Sophos XG

Question

Hello, 
 I'd like to ask is it possible to create Rule that logs all IP addresses that tries port scanning and connections on closed ports on WAN port of Sophos XG?

LuCar Toni · Answer

You can do this in Central Firewall Reporting with XDR: https://community.sophos.com/intercept-x-endpoint/i/data-lake/port-scan-detection-using-sophos-firewall-data-in-the-data-lake

Wayne Folta · Answer

I run on an XGS87, which it too small to support reporting, so I do this in Sophos Central but if you can translate to your situation. I have a Report: 
 
 Component = Appliance Access Source IP != 0.0.0.0 
 
 In the table part of the report, I select Destination Port and Protocol, so I can see what ports are being scanned. The bar chart at the top of the page shows which IP addresses, but you could change the table columns to look at. I exclude IP address 0.0.0.0 because it clutters things (not sure where it's coming from, I assume my ISP). Also exclude several other IP addresses (again, I think my ISP or well-known, "white hat" scanners) as well to declutter the results. 
 The bottom line is that Appliance Access is going to show you disallowed traffic to the firewall itself, which means not otherwise forwarded. 
 If you literally mean a Firewall rule, not a Log report, you could perhaps create a set of blackhole DNATs on common WAN ports that you don't (otherwise) open but that will be scanned (22, 23, 80, 443, 8080) and then put those rules at the top and log them. This is probably a bit too clever.

Rule for logging all tries of port scanning on WAN port of Sophos XG

Top Replies