Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 31 subscribers
  • Views 7577 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Broadcasts

SophosNewby

Are these types of log entries normal on the newly deployed device? These are local subnet PC's.

 

Denied Log Entry:

Firewall
2017-12-04 10:32:25
messageid="02002" log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="0" policy_type="0" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" in_interface="Port1" out_interface="" src_mac="removedmac" src_ip="192.168.0.84" src_country="" dst_ip="192.168.0.255" dst_country="" protocol="UDP" src_port="33763" dst_port="8192" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature"

 

Firewall
2017-12-04 10:34:24
messageid="02002" log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="0" policy_type="0" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" in_interface="Port1" out_interface="" src_mac="removedmac" src_ip="192.168.0.150" src_country="" dst_ip="192.168.0.255" dst_country="" protocol="UDP" src_port="137" dst_port="137" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature"

 

Firewall
2017-12-04 10:57:24
messageid="02002" log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="0" policy_type="0" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" in_interface="Port1" out_interface="" src_mac="removedmac" src_ip="192.168.0.183" src_country="" dst_ip="255.255.255.255" dst_country="" protocol="UDP" src_port="68" dst_port="67" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature"


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    as far as I can tel it has nothing to do with a new deployment it has to do with your configuration. If you study each of those entries you see that you have heartbeat enabled, but the devices do not have a heartbeat, so please check your XG heartbeat settings.

    Also two of those message should not be going tot he internet, but stay within your LAN eg DHCP requests ports 67/68 and port 137.

     

    Ian

  • 0 in reply to rfcat_vk

    Thats interesting because heartbeat is not even setup on this device. This device simply plugs into our local subnet via Port 1 and the servers, are VM's not sure if that makes a difference. The LAN to WAN rule is the one the device created initially, I haven't done anything to restrict services yet other than add IPS and some policies.

  • 0 in reply to SophosNewby

    Also in v17 there is increased logging which shows lots of dropped (denied) connections because the firewall does not have a valid connection in its contrack table, these could be part of that the packet size shows a 0 in most cases.

    Ian

Reply Children
No Data