Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 4185 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

more than 6000 entries / day of RST, RST FIN and ACP PSH entries in the firewall log

MatthiasPeter

Dear community

I use an ESXi 6.1 server with the Sophos UTM 9.403-4.

Every day, i have more than 6000 entries of RST, RST FIN and ACP PSH packages/entries in the firewall log.

It is possible to disable this entries?

masquerading: internal->extern
firewall: HTTP/HTTPS/DNS/NTP/POP3/IMAP etc. intern->extern enable
ICMP to/over gateway is enable
web filter: is in transparency mode
Application Control ist enable, block some advertising

Best Regards
Matthias



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to BAlfson

    Hi Bob,

    Thank you for your reply.

    eth0 Internal

    eth1 WAN

    2016:06:17-10:10:56 firewall ulogd[4654]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001"initf="eth1" srcmac="00:01:5c:xx:xx:xx" dstmac="80:ee:73:xx:xx:xx" srcip="31.xx.xx.xx" dstip="95.xx.xx.xx" proto="6" length="40" tos="0x00" prec="0x00" ttl="88" srcport="443" dstport="49525" tcpflags="ACK FIN" 

    2016:06:17-00:21:05 firewall ulogd[4654]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:xx:xx:xx" dstmac="80:ee:73:xx:xx:xx" srcip="54.239.xx.xx" dstip="WAN-IP" proto="6" length="40" tos="0x00" prec="0x00" ttl="243" srcport="443" dstport="53578" tcpflags="RST"


    2016:06:17-00:21:05 firewall ulogd[4654]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="00:0c:29:xx:xx:xx" srcip="54.239.xx.xx" dstip="192.168.2.35" proto="6" length="40" tos="0x00" prec="0x60" ttl="64" srcport="80" dstport="39579" tcpflags="RST"

    2016:06:17-00:23:49 firewall ulogd[4654]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:xx:xx:xx" dstmac="80:ee:73:xx:xx:xx" srcip="54.239.xx.xx" dstip="95.xx.xx.xx" proto="6" length="40" tos="0x00" prec="0x00" ttl="227" srcport="443" dstport="45528" tcpflags="ACK RST"


    2016:06:17-00:23:50 firewall ulogd[4654]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:xx:xx:xx" dstmac="80:ee:73:xx:xx:xx" srcip="54.239.xx.xx" dstip="95.xx.xx.xx" proto="6" length="40" tos="0x00" prec="0x00" ttl="231" srcport="443" dstport="37110" tcpflags="ACK RST"

    Cheers - Matthias

  • 0 in reply to MatthiasPeter

    These are all HTTP/S responses from servers.  It's not unusual to see RST packets, and you can ignore them unless you're having a problem maintaining a connection with some servers.  I see several involving srcip="54.239.xx.xx" - are there any complaints related to that?

    Cheers - Bob