Meanings of "Blocked" & "Intrusion" displayed in IP of AppFlow Reports under Dashboard
My SonicWall is TZ 350.
The users' email have been hacked. I try to get ideas of those PCs that may be hacked from AppFlow Reports under Dashboard. I have set up some Deny Access Rules and enabled Intrusion Prevention.
I have found figures shown in "Blocked" & "Intrusion" displayed in IP of AppFlow Reports under Dashboard.
I have the following ideas. Please tell if my understandings are correct.
1 The Blocked figure is counted due to hitting my Deny Access Rules in Firewall.
2 The Intrusion figure is counted when the hacker tries to contact his hacking tool phoning home before my SonicWall setup in the network.
3 These figures are re-set only by rebooting the SonicWall.
Welcome to SonicWall community.
You are right. The Intrusions are signature driven and usually triggered when some type of intrusion action is attempted. So, all three points look right.
We have security services like GAV, IPS and Anti-Spyware. All 3 of them are signature driven. We need to be very specific as to what we are looking at. Usually most of the Intrusions are incoming which means they are inbound connections to the firewall. But, that is not always the case.
But, one thing is for sure that either one of them should be able to catch all 3 listed above.
Thank you very much.
I have questions.
Can I say if the followings may also be the cause of the signature-driven intrusion? All of them create the outgoing connection.