Blocking notifications showing phantom source IP and phantom destination IP
Getting this notification for the last 2 months
Alarm Any.Deny-Trusted-2-Optional-py generated by device T15: Policy Name: Any.Deny-Trusted-2-Optional-00 Source IP Address: 192.168.27.38 Source Port: 51687 Destination IP Address: 10.0.2.102 Destination Port: 7680
I have a LAN with 3 computers permitted access to a file server on an optional network only on 3 SMB ports and on ports 80 and 443. Ports 80 and 443 are permitted only because Microsoft systems verify the validity mapped drives and shortcuts by attempting connections on 80 and 443 and I didn't want the workstations blocked because of this traffic.
There is no device with IP 192.167.27.38 on the LAN and there is no device with IP 10.0.2.102 on the optional network. Port 7680 is the Window Update delivery optimization port.
These alerts come every few days, but today there were about 10 alerts in a 30 minute period.
Comments
Hi @swbca
If an alarm log is being generated, it'll be based on a log that was displayed by the firewall. The notification would have been generated by the notification/alarm options on the "Any.Deny-Trusted-2-Optional" policy.
A support file should show alarm logs in the alarm log file (in current_log.) If you're unable to find this traffic, I'd suggest opening a support case and one of our techs can assist.
-James Carson
WatchGuard Customer Support