Comments
-
Hi TKWITS, I appreciate your responses. The focus of my question was pinned to regulatory compliance associated w/NIST, so you referencing NIST, was perfect. Your point on organization's policy is certainly not lost on me, (and other readers I'm sure). I was trying to determine what alerts (if any) would require an urgent…
-
TKWITS, thanks for your reply. Re: NIST, the only area I see that would require real-time alerting is regarding login/authentication failures (ref: au-5 (2) Response to audit processing failures). Do you see any additional requirements I'm over-looking?
-
Hi, Since your stating the failure is udp port 500, then it sounds like VPN may be enabled (though your not using it). Check" Manage" (top of page)> "VPN" (Left side header) "VPN Global Settings" (Top page header) Ensure "Enable VPN" is NOT checked.
-
Hi Saravanan, Thanks for requesting clarification. I apologize it was lacking. The issue was fixed by leaving the settings as seen above with the access rules & the NAT rules. As mentioned, in zenmap (graphical nmap) I saw the Open|filtered on "Nmap Output" tab, and "Open" on the "Ports/Hosts" tab (both referencing ISAKMP…
-
All this said, I went ahead and ran the PCI compliance scan and they are no longer detecting UDP port 500. Thus issue solved. Thanks
-
Hi Saravanan, Thanks for your assistance. The WANGroup VPN was & continues to remain disabled. When I disable the VPN completely I still get 500/udp open|filtered isakmp This open/filtered confuses me. With the VPN off it completely removes any associated access rules or NAT policies. (Speaking of which, thanks for the…
-
Additionally I've noted that though I've changed the access rules, the Nat policies remained the same. I don't see how I can edit the IKE NAT policies. Suggestions?
-
Thanks for the tip. The firewall was being attacked via automated brute force attempt on the ssl vpn portal page, with about 2000 attempts in roughly minutes.
-
Thanks I will try this tomorrow and report back.
-
More info... After restarting the system seems to be more and more frequently reporting that the cache is full; 2317144284 open connections; some will be dropped.
-
I should have proof-read better :-/ The last line should have read: I'm mentioning the IP spoofing in case that may be related lack of internet connectivity on the devices. (Restarting the firewall does resolve the issue for a random period of time).
-
Thank you both for the feedback! Bummer they don't.
-
It does. Thanks again.
-
Is there a way to reduce the data being leaked on this page (exposing its a Sonicwall firewall) to help mitigate the ease of an attacker enumerating the attack surface. I removed the "welcome" & modified stating its restricted for authorized users only, etc. But I didn't see an easy way to remove all the SonicWall branding…
-
Thank you! You were correct. It was using the old cert. I set it to use the new certificate. Back on the certificates page, I've deleted the old one that was showing x days remaining. The new cert simply shows "yes" under the validated column vs. x days remaining. Why the difference between the two? Just a matter or time,…