Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Answers 3 answers
  • Subscribers 13 subscribers
  • Views 23154 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ATP reporting source as external address

Stephen Allmark

Can someone suggest why the ATP would report an infection coming from an external address ?

 

Thanks

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi Stephen,

    Do you have public IPs, "Any", or "Internet" listed under Network Services > DNS > Global > Allowed Networks? Next, if you are not using the firewall for DHCP then set primary DNS in DHCP as the firewall. If you are using AD then you also need to setup DNS routing under DNS so that the firewall will route internal DNS requests to your AD server.  Then you will get proper alerts for internal machines.

    There was a known issue with the previous firmware where UDP DNS packets affected UTM's ATP detection. This was fixed and mentioned in NUTM-3340. 

    If the issue is not resolved from the steps mentioned above, please report it to Support for deep inspection.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Reply
  • 0

    Hi Stephen,

    Do you have public IPs, "Any", or "Internet" listed under Network Services > DNS > Global > Allowed Networks? Next, if you are not using the firewall for DHCP then set primary DNS in DHCP as the firewall. If you are using AD then you also need to setup DNS routing under DNS so that the firewall will route internal DNS requests to your AD server.  Then you will get proper alerts for internal machines.

    There was a known issue with the previous firmware where UDP DNS packets affected UTM's ATP detection. This was fixed and mentioned in NUTM-3340. 

    If the issue is not resolved from the steps mentioned above, please report it to Support for deep inspection.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Children
  • 0 in reply to sachingurung

    Hi,

     

    I get the same message (in v9.407 !! ) since yesterday, 25.10. But in my opinion it is not related to this bug ID (Fix [NUTM-3340]: [Network] ATP alerts can be caused by external UDP DNS traffic (can lead to massive amounts of ATP alerts)), but it is more likely a different bug.

    I see, that this IP Address tries to connect to various servers in my dmz. Maybe a harvest scan or sth. similar. But it is only trying port 80. The src ip address is listed in some abuse lists.. So my analysis would be, a malicious ip address communicates with a machine behind the firewall. The afc should normally alert in this case, because the traffic originiates from an external network.... Why we get an alert? Only Sophos knows about it....

     

    Regards

    Sebastian

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML