ATP reporting source as external address

Hi Stephen,

Do you have public IPs, "Any", or "Internet" listed under Network Services > DNS > Global > Allowed Networks? Next, if you are not using the firewall for DHCP then set primary DNS in DHCP as the firewall. If you are using AD then you also need to setup DNS routing under DNS so that the firewall will route internal DNS requests to your AD server.  Then you will get proper alerts for internal machines.

There was a known issue with the previous firmware where UDP DNS packets affected UTM's ATP detection. This was fixed and mentioned in NUTM-3340. 

If the issue is not resolved from the steps mentioned above, please report it to Support for deep inspection.

Thanks

Hi,

I get the same message (in v9.407 !! ) since yesterday, 25.10. But in my opinion it is not related to this bug ID (Fix [NUTM-3340]: [Network] ATP alerts can be caused by external UDP DNS traffic (can lead to massive amounts of ATP alerts)), but it is more likely a different bug.

I see, that this IP Address tries to connect to various servers in my dmz. Maybe a harvest scan or sth. similar. But it is only trying port 80. The src ip address is listed in some abuse lists.. So my analysis would be, a malicious ip address communicates with a machine behind the firewall. The afc should normally alert in this case, because the traffic originiates from an external network.... Why we get an alert? Only Sophos knows about it....

Regards

Sebastian

Same here, seems like a bug - again.

Same address and target.

I'm getting the same symptoms from that same source on a UTM running firmware 9.406-3.  The aptp log shows it is protocol 6 (TCP) so this is probably unrelated to the previous UDP bug.  The source IP is in Saint Petersburg, Russia, which is not on my LAN.

2016:10:26-10:33:01 xxxx afcd[31823]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="195.62.53.168"
dstip="xxx.xxx.xxx.xxx" fwrule="63001" proto="6" threatname="C2/Generic-A" status="1" host="lock.bz" url="" action="drop"

A google search on that that "lock.bz" domain brings up pages that look like a risky click to me.  The search results are mostly cryllic and mention "vault".  Cryptolocker-related sites perhaps?

Same here, 2 times this morning with our http reverse proxy as destination:

2016:10:27-06:50:12 cerberus afcd[14899]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="195.62.53.168" dstip="<REVERSE_PROXY_LAN_IP_ADDR>" fwrule="63001" proto="6" threatname="C2/Generic-A" status="1" host="lock.bz" url="" action="drop"
2016:10:27-09:06:51 cerberus afcd[31684]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="195.62.53.168" dstip="<REVERSE_PROXY_LAN_IP_ADDR>" fwrule="63001" proto="6" threatname="C2/Generic-A" status="1" host="lock.bz" url="" action="drop"

Same here, how can we report this to support for Deep Inspection?

we have the same warning since yesterday

and if i reset the warning it pups up again every few hours

and if i take look at the firewall log i see the last 3 entries are from an internal client to this IP 195.62.53.168 over Port 137.

so i scanned this internal computer for virues and none of 4 av scanners did find anything.

should i be worried?

Got the exactly same entry in the ATP today.

Firmware 9.407-3 on a SG210.

I'm not seeing these NETBIOS calls at any customer site.  I am seeing HTTP/S responses where NAT is in use instead of Webserver Protection.

I'd be tempted to do a packet capture of that traffic to see what's being requested.  Since this just started in the last few days, I wouldn't be surprised if the scanners can't see the problem yet.

Cheers - Bob