Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 9452 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD logins seen from random IP addresses

Matthew Dunn

Hi Folks, hoping for a little insight into something.

We host a HA XG solution for one of our customers via 2x SG330 appliances running SFOS 16.05.0 GA. I was demonstrating the reporting functionality to the client when we noticed what looked like login attempts from AD users from outside of their network (random WAN IPs). Moreover they appear to be from the client's IT dept system management accounts (these are used for the management of the their servers and not for day to day web browsing etc and they are blocked from browsing by the firewall anyway). Below is an example of what we are seeing in the reports (names scrubbed for obvious reasons):

Not sure if anyone has come across this before? The IP displayed is not within the customer network and a whois says it is in Vietnam!

Any insight is greatly appreciated.

Many thanks,

Matt



This thread was automatically locked due to age.
Parents
  • +1

    Hi Matt, 

    If you are not sure of the source address, I would advise you to create an ACL rule to block all connection to XG 

    Path:-> XG dashboard > Administration > Device Access > Local ACL Exception rule > Add   # enter the host address and select the action as drop.

Reply
  • +1

    Hi Matt, 

    If you are not sure of the source address, I would advise you to create an ACL rule to block all connection to XG 

    Path:-> XG dashboard > Administration > Device Access > Local ACL Exception rule > Add   # enter the host address and select the action as drop.

Children