Hi Community,
we're using an XGS Firewall (V19) and STAS for authentication of our users.
On our domain controllers in stas.log we're seeing an huge amount of these entrys every few seconds:
SSO_server_handle_wrkstpoll_req: poll req for '43.129.35.XX' from 'INTERNAL XGS IP' filtered out
SSO_server_handle_wrkstpoll_req: poll req for '2.56.58.XX' from 'INTERNAL XGS IP' filtered out
SSO_server_handle_wrkstpoll_req: poll req for '212.192.246.XX' from 'INTERNAL XGS IP' filtered out
Filling up windows security event log and stas log. These ip-addresses are external, malicous hosts, which are obviously trying to authenticate.
So i was wondering why these authentication requests from external, foreign wan-ip-addresses are forewarded to STAS running on my domain controller.
I do not need SSO user authentication on WAN zone and i'd like unnecessary authentication requests being blocked as early as possible.
I'm aware that STAS is filtering these requests out as they're not matching configured subnets, but do they really need to be passed to internal authentication servers?
I contacted support and they told me "you were getting the WMI polling request from the public ip to the STAS which the expected behavior from the XG because firewall will not drop the WMI polling request coming from any zone. [...] XG does not know from which network it should expect the request, the monitored network is configured on the STAS Suite, not on XG so firewall will once check the access server(STAS) before dropping the traffic".
I'd like to verify if that's really by design and there's no way to block XG from accepting WMI polling requests from wan-zone.
You can define device-access quite granular and e.g. "Client authentication" cannot be enabled on WAN-zone at all. So why should WMI polling requests should be processed on WAN-Zone?!
In addition those requests are not logged at all in xg firewall (as far i know). I'd expect source ip-addresses getting blocked for further requests and not keep getting passed to stas. e.g. blocking source ip right after 5-10 failed authentication requests.
Im sorry, but i dont get it and thinks that's an unnecessary impact on security. Am i wrong?
Just a single misconfiguration, like entering no or wrong subnet-filter in STAS, would result in simple attack surface on wan zone as wmi-requests would be answered?
There's an KB: https://support.sophos.com/support/s/article/KB-000040846?language=en_US but should this really include wan-zone?
Please share your thoughts... i'd like to know anyone else noticed this...
Thanks in advance!
This thread was automatically locked due to age.
