Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 628 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Rule for logging all tries of port scanning on WAN port of Sophos XG

shando1987

Hello,

I'd like to ask is it possible to create Rule that logs all IP addresses that tries port scanning and  connections on closed ports on WAN port of Sophos XG? 



This thread was automatically locked due to age.
Parents
  • 0

    I run on an XGS87, which it too small to support reporting, so I do this in Sophos Central but if you can translate to your situation. I have a Report:

    Component = Appliance Access
    Source IP != 0.0.0.0

    In the table part of the report, I select Destination Port and Protocol, so I can see what ports are being scanned. The bar chart at the top of the page shows which IP addresses, but you could change the table columns to look at. I exclude IP address 0.0.0.0 because it clutters things (not sure where it's coming from, I assume my ISP). Also exclude several other IP addresses (again, I think my ISP or well-known, "white hat" scanners) as well to declutter the results.

    The bottom line is that Appliance Access is going to show you disallowed traffic to the firewall itself, which means not otherwise forwarded.

    If you literally mean a Firewall rule, not a Log report, you could perhaps create a set of blackhole DNATs on common WAN ports that you don't (otherwise) open but that will be scanned (22, 23, 80, 443, 8080) and then put those rules at the top and log them. This is probably a bit too clever.

Reply
  • 0

    I run on an XGS87, which it too small to support reporting, so I do this in Sophos Central but if you can translate to your situation. I have a Report:

    Component = Appliance Access
    Source IP != 0.0.0.0

    In the table part of the report, I select Destination Port and Protocol, so I can see what ports are being scanned. The bar chart at the top of the page shows which IP addresses, but you could change the table columns to look at. I exclude IP address 0.0.0.0 because it clutters things (not sure where it's coming from, I assume my ISP). Also exclude several other IP addresses (again, I think my ISP or well-known, "white hat" scanners) as well to declutter the results.

    The bottom line is that Appliance Access is going to show you disallowed traffic to the firewall itself, which means not otherwise forwarded.

    If you literally mean a Firewall rule, not a Log report, you could perhaps create a set of blackhole DNATs on common WAN ports that you don't (otherwise) open but that will be scanned (22, 23, 80, 443, 8080) and then put those rules at the top and log them. This is probably a bit too clever.

Children
No Data
Unfiltered HTML