Alarm Block-Site-Notif generated by device T35-W

Hi all

Since January this year I am receiving multiple alerts about blocked sites from all my PC on my network:

Alarm Block-Site-Notif generated by device T35-W: Blocked site: Traffic detected from 172.18.10.15 to 203.220.74.183.

and

Alarm Block-Site-Notif generated by device T35-W: Blocked site: Traffic detected from 203.220.74.183 to 192.168.15.3.

the 172.18.10.x is my network and the 192.168.15.3 is my modem

I have no idea what is being blocked and why all of a sudden I am getting these errors. Could someone enlighten me on how I can troubleshoot this.

Thanks

Answers

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Spiro

    You should look at the blocked sites list on your firewall.

    (Firebox System Manager)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/blocked_sites_wsm.html

    (WebUI)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/system_status/stats_blocked_sites_web.html

    The log here should have a reason why that IP or IPs have ended up on the list. If it is because of a policy, one of your policies is adding items to the blocked sites list.

    -James Carson
    WatchGuard Customer Support

  • edited February 2023

    When I check this the report is:

    203.220.74.183 device Port scan attack 0 days 00:17:15

    What I don't understand is this is coming from inside my network to 203.220.74.183 and being blocked and it seems strange that it is occurring with every PC on my network to that external IP.

    I have installed remote management software (anydesk) last month. Could it be this and if so how can I verify this before adding an exception.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Spiro

    I can't tell you specifically what it is based on just that log. If you're looking for more information, I'd suggest opening a case.

    the port scan attack means that the firewall saw 10 new connections to different ports in one second (unless this value was changed in default threat protection.)

    if you are logging to a log/report, dimension, or WatchGuard cloud, I'd suggest looking for that IP -- you should be able to find the time it got added, then walk back and see the other connection attempts.

    -James Carson
    WatchGuard Customer Support

  • Thanks. Could I ask a stupid question? Where can I see if logging is enabled and how do I access that log? If it is not active I will activate as the error is occurring constantly.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    If you're using policy manager, it'll be under Setup -> logging.
    If you're using WebUI, it'll be under System -> logging

    You'll see the IP address of a log server populated if it has been set up.

    -James Carson
    WatchGuard Customer Support

  • Thanks - not setup. Could you point me to a resource on how to set up a log server so that I can get more information to troubleshoot this problem.

  • There are 3 log server options:
    . WSM Log & Report servers, which are essentially at end of life as of V12.9
    . Dimension, a VM log & reporting solution
    . a syslog server

    For recent logs - look at Traffic Monitor
    . WSM -> Firebox System Manager
    . Web UI -> Dashboard -> Traffic Monitor

    Define Where the Firebox Sends Log Messages
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/logging/set_up_logging_on_device_wsm.html

    The online Help is here:
    https://www.watchguard.com/wgrd-help/documentation/xtm

    Select the Fireware Help. There are selections for some of the earlier Fireware version lower down in the list.

  • Do you know if there is a way to allow all traffic from a trusted device by supplying their MAC address? I have numerous connections being blocked from my system and have no idea why. I wish I had a better understanding of all this. It is driving me crazy.

  • edited February 2023

    The main thing I connect to on my server is to a Synology NAS via Synology Drive and this intermittently stops working with failed connection which I can only imagine is a firewall problem. I would like to allow connections to this device from my trust devices under any circumstances.

  • No, not by MAC address - by IP address.
    You can make a DHCP reservation in your DHCP server for the MAC addr, and then use the IP addr from the DHCP reservation in your policy.

    For connection to the NAS, you can use use the alias name of your trusted firewall interface or the subnet of trusted devices in the From: field of a policy, such as an Any or a TPC-UDP Packet Filter.

Sign In to comment.