Traffic from Any-From-Firebox to MSSQL

Hello.
In the dimension's logs I found a larger number of this entries:

FWAllowEnd
pri=6
disp=Allow
policy=Any-From-Firebox-00
protocol=ms-sql-s/udp
src_ip=192.168.x.254
src_port=48067
dst_ip=192.168.x.xxx
dst_port=1433
src_intf=Firebox
dst_intf=VLAN-server
rc=106
duration=30; sent_bytes=28; rcvd_bytes=0
3000-0151

The dst_ip changes to many servers in this VLAN. Do I have security problem here?
The src_ip is the gateway address of the VLAN.
On a DB-server I found entries for unauthorized connections over night.

Thanks in advance for your answers.

Stay healthy!

Dirk Emmermacher

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Catweazle30169

    Without seeing the actual traffic, it's hard to tell what we're looking at. It could be the firewall sending data to that server, or it could be a response to something that was sent. We'd really need a tcpdump (wireshark capture) of that data to begin determining what it is.

    If you open a support case, one of our technicians can help do that with the firewall, and provide analysis of what they're seeing.

    Otherwise, going to Firebox System Manager, then going to tools -> diagnostic tasks.
    -Choose TCPDUMP from the drop down menu, and check advanced options.
    -Use the argument "-i vlanXX src host 192.168.X.254 and dst host 192.168.x.xxx"
    (replace the Xs with the correct vlan and IP info.)

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • Hello James.
    I suppose, that's it portscan by the firebox.

    Stay healthy

    Dirk

Sign In to comment.