SOPHOS XGS 2100 Zenmap intense portscan - Linksys WRT45G dropbear?

Hi Dennis Wauer Thank you for reaching out to the Sophos community team. Can you please help us with the below details to narrow down the situation?

How this Port scan was performed? From Outside or from the LAN segment?
On which IP this Port scan was performed? The IP on which this port scan was performed is directly assigned and configured on XGS? if it is directly assigned and configured on XGS then is it WAN IP?
Is there any DNAT/Port forwarding configured for any in-house device to map the above services or any of the services listed in the above port scan result? 
If this has been scanned from the WAN side, Does XG WAN has private IP over WAN on which requests are landing from the next hop router via port forwarding on it?

Hi Vishal,

thanks for your fast reply on my topic.

The scan was performaned using Zenmap on Microsoft Windows 11 from inside the LAN, with the following command:
nmap -sS -sU -T4 -A -v 10.0.1.1

Yes, the IP-Address where with port scan was performed is directly assigned to the Sophos XGS. We are using for WAN the Sophos DSL Module.  (=> Screenshot 1)

No there is no DNAT / Port forwarding configured for any of these services.

We have a dynamic public IP-Address assigned for the WAN, which get assigned by the DSL Module.

Regards,
Dennis

Hi Dennis Wauer  Can you please capture tcpdump and PCAP on XG on ssh service port 22 when you perform scanning to confirm who is replying or how the 22 service port packets traversing and getting replied by which device?

Packet capture in Diagnostics on the Sophos XGS does not working correctly, I will now try via ssh.

Command: tcpdump -ni any host 10.0.0.1 and port 22

82064 packets captured
95202 packets received by filter
13138 packets dropped by kernel
XGS2100_RL01_SFOS 19.5.1 MR-1-Build278#

I got this as result, after... 2 seconds runtime of the command. Crazy??

/cfs-file/__key/communityserver-discussions-components-files/126/dump1.txt

1st picture - SSH Package

2nd picture - Overview - with much "TCP Retransmission"

To solve the problem, should I maybe try to disable ipsec-acceleration and firewall-acceleration?

Disable IPsec Acceleration: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/CommandLineHelp/DeviceConsole/SystemCommands/index.html#command-ipsecacceleration

Disable Hardware Acceleration: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/CommandLineHelp/DeviceConsole/SystemCommands/index.html#firewall-acceleration

To solve the problem, should I maybe try to disable ipsec-acceleration and firewall-acceleration?

Disable IPsec Acceleration: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/CommandLineHelp/DeviceConsole/SystemCommands/index.html#command-ipsecacceleration

Disable Hardware Acceleration: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/CommandLineHelp/DeviceConsole/SystemCommands/index.html#firewall-acceleration