This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Portscan notifications

This may be a little tough to answer, but a question....

So I have as Rule #1 in my firewall to DROP all connections Incoming/Outgoing if it is in an ip address range/network/etc. as a first line of defense.

I then receive notifications about a portscan from an ip that qualifies as in that list. I then have to login to the UTM to see if I've already blocked that IP address or range.

I'm not sure how the portscan detection works, but wondering, shouldn't the portscan not even be able to be completed by the end-user if it's in the blocked range? Ie. it just drops the packets? But it still shows as I've been scanned - should it? Shouldn't the connection attempt been dropped immediately?

This thread was automatically locked due to age.

Parents

0 Alexander Busch over 7 years ago

Maybe this one is interessting

So a connection attempt is already enough I think. It seems the attempt is already be counted in front of the manual firewall rules.

Best

Alex

PS A nice feature of UTM would be automaticly block IPs which triggered IPS for example.

-
Cancel
Vote Up 0 Vote Down

Cancel
0 zburns over 7 years ago in reply to Alexander Busch

I've also thought about an auto-block - but that scared me a little bit. You could create an issue real quick by scanning yourself. :-)
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 zburns over 7 years ago in reply to Alexander Busch

I've also thought about an auto-block - but that scared me a little bit. You could create an issue real quick by scanning yourself. :-)
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Alexander Busch over 7 years ago in reply to zburns

zburns said:
I've also thought about an auto-block - but that scared me a little bit. You could create an issue real quick by scanning yourself. :-)

Make an exception for your internal lan.

-
Cancel
Vote Up 0 Vote Down

Cancel