Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Meanings of "Blocked" & "Intrusion" displayed in IP of AppFlow Reports under Dashboard

My SonicWall is TZ 350.

The users' email have been hacked. I try to get ideas of those PCs that may be hacked from AppFlow Reports under Dashboard. I have set up some Deny Access Rules and enabled Intrusion Prevention.

I have found figures shown in "Blocked" & "Intrusion" displayed in IP of AppFlow Reports under Dashboard.

I have the following ideas. Please tell if my understandings are correct.

1 The Blocked figure is counted due to hitting my Deny Access Rules in Firewall.

2 The Intrusion figure is counted when the hacker tries to contact his hacking tool phoning home before my SonicWall setup in the network.

3 These figures are re-set only by rebooting the SonicWall.

Thanks.

Category: Entry Level Firewalls
Reply

Best Answers

  • CORRECT ANSWER
    shiprasahu93shiprasahu93 Moderator
    Answer ✓

    @Rudolf,

    Welcome to SonicWall community.

    You are right. The Intrusions are signature driven and usually triggered when some type of intrusion action is attempted. So, all three points look right.

    Thanks1

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • CORRECT ANSWER
    shiprasahu93shiprasahu93 Moderator
    Answer ✓

    Hello @Rudolf,

    We have security services like GAV, IPS and Anti-Spyware. All 3 of them are signature driven. We need to be very specific as to what we are looking at. Usually most of the Intrusions are incoming which means they are inbound connections to the firewall. But, that is not always the case.

    But, one thing is for sure that either one of them should be able to catch all 3 listed above.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

Answers

  • RudolfRudolf Newbie ✭

    Thank you very much.

  • RudolfRudolf Newbie ✭

    I have questions.

    Can I say if the followings may also be the cause of the signature-driven intrusion? All of them create the outgoing connection.

    1. The suspect attached file in email, e.g., those execution file.
    2. The suspect web site's link, e.g., running code.
    3. The suspect file stored in file server.
Sign In or Register to comment.