Traffic from Any-From-Firebox to MSSQL
Hello.
In the dimension's logs I found a larger number of this entries:
FWAllowEnd
pri=6
disp=Allow
policy=Any-From-Firebox-00
protocol=ms-sql-s/udp
src_ip=192.168.x.254
src_port=48067
dst_ip=192.168.x.xxx
dst_port=1433
src_intf=Firebox
dst_intf=VLAN-server
rc=106
duration=30; sent_bytes=28; rcvd_bytes=0
3000-0151
The dst_ip changes to many servers in this VLAN. Do I have security problem here?
The src_ip is the gateway address of the VLAN.
On a DB-server I found entries for unauthorized connections over night.
Thanks in advance for your answers.
Stay healthy!
Dirk Emmermacher
0
Sign In to comment.
Comments
Hi @Catweazle30169
Without seeing the actual traffic, it's hard to tell what we're looking at. It could be the firewall sending data to that server, or it could be a response to something that was sent. We'd really need a tcpdump (wireshark capture) of that data to begin determining what it is.
If you open a support case, one of our technicians can help do that with the firewall, and provide analysis of what they're seeing.
Otherwise, going to Firebox System Manager, then going to tools -> diagnostic tasks.
-Choose TCPDUMP from the drop down menu, and check advanced options.
-Use the argument "-i vlanXX src host 192.168.X.254 and dst host 192.168.x.xxx"
(replace the Xs with the correct vlan and IP info.)
Thank you,
-James Carson
WatchGuard Customer Support
Hello James.
I suppose, that's it portscan by the firebox.
Stay healthy
Dirk