Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 773 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Weekly executive report shows external IP adresses as dropped source hosts

Niels ter Heijden

In the weekly executive report 5 of the 10, TOP10 dropped source hosts, are external ip addresses. This seems strange as I would only expect internal or VPN ip addresses in this list. What is the explanation for these external ip addresses and is it something that should be investigated further? Asked this question to the paid support options but they haven't comeback with a answer in 2 days. And at the moment their entire support system seems to be broken so I thought I would ask the question here.



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Apologies for any inconvenience caused! 

    Would it be possible for you to provide the support case number via PM? Also, a screenshot of the report where you see the entry for the external IP address being detected and dropped?

    Thanks,

  • 0

    Hoi Niels and welcome to the UTM Community!

    I would expect virtually all Dropped Source Hosts to be external IPs belonging to what may be attackers trying to access your internal network.  Or are you seeing IPs on your External interface being dropped?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thank you Balfson

    I think I'm a bit confused about what Source and Destination top 10 means. I thought Source would only be traffic packets blocked originating from our internal network. And destination being all external communication towards our internet network? 

    But these top lists combines the package drop count for both LAN -> WAN and WAN -> LAN ??

  • 0 in reply to Niels ter Heijden

    Yes, Niels, both lists will contain internal and external IPs.  The issue is what source IP was in a dropped packet 'source IP -> port -> Destination IP'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML