Exempting IP from being blocked for Port Scanning

Hi

Being a school, we have a Smoothwall filtering system used for Safeguarding sat between out core and the Watchguard. When we need to run an update, or simply reboot the Smoothwall, our VoIP phones lose connection with the VoIP cloud controller. When connection is re-established, all the phones try connecting again, which is interpreted by Watchguard as a port scan attack and the cloud controllers public IP address is added to the block list.

The VoIP system has it's own firewall rules.

Is there a way to prevent Watchguard from interpreting this as a port scan thus preventing it from being added to the block list?

OS version: 12.7

Comments

  • You can add the cloud controllers public IP address to the Blocked Sites Exceptions list which will prevent it from getting onto the temp Blocked Sites list.

    You can disable or modify the "Block Port Scan" packets per second - I'm not sure what value would be appropriate here for your situation.

    About Default Packet Handling Options
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/intrusionprevention/default_pkt_handling_opt_about_c.html

  • Curious what happened with this one

    I had a similar issue with a SIP trunk provider that does 'checks' to make sure they can still reach the 100+ PBXs we have in our datacenter. The datacenter firebox would often (few times a month) block the providers IP as an IP SCAN ATTACK.

    Adding them to Blocked Site Exceptions list did NOT prevent them from getting on the blocked site list and WG support confirmed that was expected behavior. They said that sources of IP SCAN attack will always end up on blocked sites and the exceptions list will not stop this. Only option was turn off scan protection.

    We ended up just using GrayLog to filter the logs and email us when we saw the SIP trunk get blocked so we can handle it asap.

Sign In to comment.