ATP reporting source as external address

Question

Can someone suggest why the ATP would report an infection coming from an external address ? 
 
 Thanks

tbenson · Answer

I'm getting the same symptoms from that same source on a UTM running firmware 9.406-3. The aptp log shows it is protocol 6 (TCP) so this is probably unrelated to the previous UDP bug. The source IP is in Saint Petersburg, Russia, which is not on my LAN. 
 2016:10:26-10:33:01 xxxx afcd[31823]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="195.62.53.168" dstip="xxx.xxx.xxx.xxx" fwrule="63001" proto="6" threatname="C2/Generic-A" status="1" host="lock.bz" url="" action="drop"

sachingurung · Answer

Hi Stephen, 
 Do you have public IPs, "Any", or "Internet" listed under Network Services > DNS > Global > Allowed Networks? Next, if you are not using the firewall for DHCP then set primary DNS in DHCP as the firewall. If you are using AD then you also need to setup DNS routing under DNS so that the firewall will route internal DNS requests to your AD server. Then you will get proper alerts for internal machines. 
 There was a known issue with the previous firmware where UDP DNS packets affected UTM's ATP detection. This was fixed and mentioned in NUTM-3340. 
 If the issue is not resolved from the steps mentioned above, please report it to Support for deep inspection. 
 Thanks

zoidberg · Answer

Same here, seems like a bug - again.

Same address and target.

ATP reporting source as external address

Submitted a Tech Support Case lately from the Support Portal?