ATP reporting source as external address

I also had the same ATP warnings last night and this morning. Same external IP 195.62.53.168 and lock.bz. I will be blocking this IP, as I can't block all of Russia, due to customers relations. This behavior started occurring after updating to the latest version (from 5 versions out).

I spent an hour yesterday via SSH on all of the UTMs I have permission to access.  Roughly half showed similar activity as described above.  Rather than a firewall rule as recommended by Support, I recommend a blackhole DNAT where the Destination in the Traffic Selector is a Network Group containing all of the "(Address)" objects on Interfaces with a default gateway.  Consult #2 in Rulz to understand why.  These are the commands I ran:

zgrep 'dstip="195\.62\.53\.168' /var/log/packetfilter/2016/10/*
zgrep '195\.62\.53\.168' /var/log/aptp/2016/10/*

The first will show whether some device behind the UTM is trying to communicate with the bad IP.  The second shows whether Advanced Threat Protection stopped an attack from the bad IP.

Cheers - Bob

I spent an hour yesterday via SSH on all of the UTMs I have permission to access.  Roughly half showed similar activity as described above.  Rather than a firewall rule as recommended by Support, I recommend a blackhole DNAT where the Destination in the Traffic Selector is a Network Group containing all of the "(Address)" objects on Interfaces with a default gateway.  Consult #2 in Rulz to understand why.  These are the commands I ran:

zgrep 'dstip="195\.62\.53\.168' /var/log/packetfilter/2016/10/*
zgrep '195\.62\.53\.168' /var/log/aptp/2016/10/*

The first will show whether some device behind the UTM is trying to communicate with the bad IP.  The second shows whether Advanced Threat Protection stopped an attack from the bad IP.

Cheers - Bob