Traffic between 172.16.0.10 and 224.0.0.1

I'm getting a lot of traffic from source ip 172.16.0.10 to destination 224.0.0.1 in my logs.
All traffic is denied (Unhandled-External-Packet). I'm not using the 172.16 subnet on my internal network. I can't figure out why this traffic is being generated or where it is coming from. I get thousands of these entries every day.
Can anyone shed some light on this?
Thanks

Best Answer

  • edited July 2023 Answer ✓

    The deny log message shows you the source and destination interfaces involved.

    "Unhandled-External-Packet" suggests that this is coming in from your external interface.
    224.0.0.1 is a multicast IP addr.

    If these deny log messages are sufficiently annoying, you can add an appropriate policy, set to denied, and set to not log.
    If you would like to do this, please post a sample deny log message for help in setting up the policy.

Answers

  • Do you have another piece of hardware between the external interface of your firebox and either the Internet or a WAN provided by an ISP?
    Sometimes these devices will send mulitcast traffic for monitoring purposes to see if you are still up and if anything has changed.

    It's usually something simple.

  • Thanks guys. I will go ahead and set up a deny policy.

Sign In to comment.