Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 2878 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Numerous portscan warnings - from within network

jlbrown

I turned on portscan notifications, and have been receiving hundreds of alerts. The strange thing is, lots of them are from internal IPs. Eg:

A portscan was detected. Details about the event:

Time.............: 2016-08-05 06:12:01

Source IP address: 192.168.1.45

--
HA Status          : HA MASTER (node id: 2)
System Uptime      : 1 day 18 hours 32 minutes
System Load        : 0.82
System Version     : Sophos UTM 9.405-5

Please refer to the manual for detailed instructions.

These are Macintosh computers.

Any ideas where I should go with this? Is it a legitimate warning or a false positive with 9.405-5?


Thanks,

James.



This thread was automatically locked due to age.
  • 0

    Hi James,

    Do you discover the port scan alarm for systems other than MAC computers?

    If the firewall detects an unusually large number of attempts to connect to services, especially if these attempts come from the same source address, the firewall is most likely being port scanned and thus impose a block. A portscan is detected when a detection score of 21 points in a time range of 300 ms for one individual source IP address is exceeded.

    In the Anti Port Scan section enable Limit Logging. Selecting this option will restrict logging to five lines per second.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Thanks Sachin.

    I think only Macs, not sure at the moment. Get no alerts, then after say, 5 hours get 50 from one source.

    'Limit Logging' is turned on.

    James.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?