Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 3 answers
  • Subscribers 31 subscribers
  • Views 1982 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Appliance Access denied ? What is really mean?

Brian Willy

Hi All i want to ask about log Comp = Appliance Access denied on log viewer, we currently having a lot of Appliance Access on log viewer i read some artical it said it just a droped broadcast packet form internal (LAN) and external (WAN) but if it was the case why would it be called "Applliance Access" ? 

i Just want to know if it actually something i need to worry about? or is it a normal ?

NB : 
We have Sophos XGS 3300 & XGS 4300 and both showing the sama log.



This thread was automatically locked due to age.
  • 0

    Do you have e external access enabled for your devices, if so please disable?

    ian

    fixed spellchecker error.

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    A thermal access ? i dont i think we have it on our devices. 

    is it sophos feature?

  • 0 in reply to Brian Willy

    Spellchecker reigns supreme, it is external access enabled?
    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Nope, All external access are disabled. 

  • 0 in reply to Brian Willy

    Hi Brian,

    please check logviewer -> system to see what is reported. Sometimes it is a some one trying to break into the xg without knowing about using the correct port.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Appliance Access in General is traffic going to the interface, which the appliance has no rule for it. 

    So it could be broadcast (traffic to the entire network) which hits the appliance as well and gets dropped. It could be WAN traffic going to your appliance. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    what lucar describes may be what you see. cou could post a screenshot of thos appliance access logs in question.

    imagine windows clients in a subnet, looking for SMB shares automatically. they discover that by Port 137 and 445 broadcasts. those hit your firewall and the firewall has no port or service open for that traffic so it is denied and logged with that message.

    also attackers portscanning your XG WAN from external cause that logs.

  • 0 in reply to LuCar Toni

    Yes, this is a generic message from the firewall (aopliance) meaning "A packet arrived and was apparently meant for me -- there were no rules or routes that would send it elsewhere -- and I do not have any valid service expecting such a packet." 

    So it includes things like "port scans" from the WAN (trying to connect to ports on the WAN port and public IP of the appliance that are not forwarded via some mechanism), broadcast traffic (at least on a guest network with client isolation), and so on. There's a slightly different category called "Invalid Traffic" which is usually the result of a connection between WAN and internal machine that was closed but the WAN end still tried to use it. In this case, I do not think it's considered Appliance Access.

    I have a report I do that lists all of these by port and protocol, just to get a feel for what are popular targets in the wild. Basically I see a port scan about every 10 seconds or so. (Not a big-time target.)

Unfiltered HTML