Options

suspicious logs

BurkhardnubootBurkhardnuboot
in Firebox - Dimension, Logging and Reporting

Hi,

can someone explain this log?

2022-08-24 14:32:53 Member1 Allow 192.168.1.102 172.16.105.11 microsoft-ds/tcp 57231 445 LAN Backup VM 105 Allowed 52 127 (Allow SSLVPN-Users-00) proc_id="firewall" rc="100" msg_id="3000-0148" tcp_info="offset 8 S 4060084264 win 32" src_user="land_b@***" Traffic

The netstat on the host did not show any connction like this... how get the watchguard the user? Where does this information come from?

Regards

Burkhard

Comments

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Burkhardnuboot

    445/TCP traffic is windows file/print sharing, and workgroup advertisement. It's very likely the connection had already closed when you ran your netstat.

    The firewall will show a log for any complete TCP connection that occurs for a policy where logging is enabled.

    If you'd like to verify the connection, you can use TCPDump in the firewall's diagnostic tasks to do so:

    (Run Diagnostic Tasks to Learn More About Log Messages)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/log_message_learn_more_wsm.html

    Windows is generally pretty chatty over port 445, so I'd suggest that this connection was likely a legitimate connection that simply closed when it was finished.

    -James Carson
    WatchGuard Customer Support

  • Options
    Bruce_BriggsBruce_Briggs

    My guess is that a SSLVPN session was initiated from 192.168.1.102 at some point in time.
    You can look at the Authentication List on your firewall in the Web UI or in WSM Firebox System Manager to see active user sessions.
    On the client PC, there should be an icon showing an active SSLVPN session someplace. For Windows, perhaps the icon is not showing in the System Tray and is on the hidden icons list.

Sign In to comment.