Are default packet handling rules enforced between VLANs?

I've been running some IP and port scans between VLANs as a test and noticed the firebox hasn't tried to step in and block these scans. Is that to be expected? Is the firebox only blocking these attempts at traffic coming from the external interface. The default packet handling rules are still at their default values.

Sometimes I do see a few of these messages in Traffic Monitor but it only appears to stop a few connections from happening.
2020-11-15 21:01:30 ddos_attack_src_dos email DDOS from client 10.51.20.140 detected. proc_id="firewall" time="Sun Nov 15 21:01:30 2020 (PST)" msg_id="3000-0161" Alarm
2020-11-15 21:01:30 ddos_attack_src_dos email DDOS from client 10.51.20.140 detected. proc_id="firewall" time="Sun Nov 15 21:01:30 2020 (PST)" msg_id="3000-0161" Alarm
2020-11-15 21:01:30 ddos_attack_src_dos email DDOS from client 10.51.20.140 detected. proc_id="firewall" time="Sun Nov 15 21:01:30 2020 (PST)" msg_id="3000-0161" Alarm

Comments

  • From the docs:
    "When the Block Port Scan, Block IP Scan or Auto-block source IP of unhandled external packets check boxes are selected, all inbound traffic is examined by the Firebox."
    This implies that internal traffic is not checked for these. I'm not sure if this is really true or not.

    Note that there are 2 DDOS settings. The Per Client Quota is applied to internal IP addrs.

  • I did see that in the manual as well, but wasn't sure what their definition of inbound traffic is. Also, the second part of that paragraph says:

    "You cannot disable these features for specified IP addresses, specified Firebox interfaces, or different time periods." Which made me think trusted and optional interfaces should be examined as well.

    It seems like it would be a good idea to check for IP and port scanning on any interface. Id certainly want to know if scans were being performed inside my network.

    My testing does make me believe that IP and Port scans are only detected coming from the External interface. I'll be performing some other tests and post my results if I discover anything interesting..

Sign In to comment.