suspicious logs
Hi,
can someone explain this log?
2022-08-24 14:32:53 Member1 Allow 192.168.1.102 172.16.105.11 microsoft-ds/tcp 57231 445 LAN Backup VM 105 Allowed 52 127 (Allow SSLVPN-Users-00) proc_id="firewall" rc="100" msg_id="3000-0148" tcp_info="offset 8 S 4060084264 win 32" src_user="land_b@***" Traffic
The netstat on the host did not show any connction like this... how get the watchguard the user? Where does this information come from?
Regards
Burkhard
0
Sign In to comment.
Comments
Hi @Burkhardnuboot
445/TCP traffic is windows file/print sharing, and workgroup advertisement. It's very likely the connection had already closed when you ran your netstat.
The firewall will show a log for any complete TCP connection that occurs for a policy where logging is enabled.
If you'd like to verify the connection, you can use TCPDump in the firewall's diagnostic tasks to do so:
(Run Diagnostic Tasks to Learn More About Log Messages)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/log_message_learn_more_wsm.html
Windows is generally pretty chatty over port 445, so I'd suggest that this connection was likely a legitimate connection that simply closed when it was finished.
-James Carson
WatchGuard Customer Support
My guess is that a SSLVPN session was initiated from 192.168.1.102 at some point in time.
You can look at the Authentication List on your firewall in the Web UI or in WSM Firebox System Manager to see active user sessions.
On the client PC, there should be an icon showing an active SSLVPN session someplace. For Windows, perhaps the icon is not showing in the System Tray and is on the hidden icons list.