Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".


False positive or not - NSA2650 and Rapid7 SIEM


I keep getting alerts from our Rapid7 SIEM (InsightIDR) that look like the below

Account <user> had INBOUND firewall traffic from (tracked in BlockList.DE - (Search: to <serverIP>

3:46:31 PM

Firewall activity was detected from to <serverIP>:8086. Connection status is ACCEPT. Direction is INBOUND.

I have a firewall rule that allows a couple of IP addresses access to port 8086 on that server, if I attempt a port scan or to connect to that port via TELNET from an IP outside of the list I get a connection refused or Port is not open result.

To me this suggests the rule is working as intended and the connection isn't actually accepted and passed through to the internal server, below is the log entry Rapid7 has ingested from the SonicWall.

16 Jul 2021 15:46:32.033{ "timestamp": "2021-07-16T15:46:31.000Z", "asset": "<servername>", "source_address": "", "source_port": "29011", "destination_address": "<serverIP>", "destination_port": "8086", "direction": "INBOUND", "geoip_city": "Coronado", "geoip_country_code": "US", "geoip_country_name": "United States", "geoip_region": "CA", "source_data": "<134> id=firewall sn=18B169967280 time=\"2021-07-16 16:46:31\" fw= pri=6 c=262144 m=98 msg=\"Connection Opened\" app=49349 appName='Service Tivo TCP Data' n=5765142 src= dst=<serverIP>:8086:X0 proto=tcp/8086 sent=46 dpi=0 fw_action=\"NA\"" }

Can anyone confirm/deny my thoughts on this?

Category: Firewall Management and Analytics

Best Answer

  • Options
    CheesemanCheeseman Newbie ✭
    Answer ✓

    Support got in touch with me and explained that this behaviour is normal. See closing comments below.

    Problem Description :

    query on log messages on firewall

    Action/Analysis :


    Impact :

    no impact


    Customer is noticing CONNECTION OPEN logs for rules which has DENY action

    informed the customer that for every connection made a OPEN log is generated even though traffic would be dropped

    Customer acknowledge


Sign In or Register to comment.