Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

Sonicwall consuming and generating packets from WAN instead of forwarding

KyleLKyleL Newbie ✭
in Entry Level Firewalls

We have a client that has an on-prem Exchange server, one of their users kept getting their account locked due to incorrect credentials being entered into OWA. Usually, I would check the iis logs, find the ip address the request is coming from and block it. In this instance the source ip address in the iis logs is being reported as the LAN ip address of the SonicWall. Packet capture on the SonicWall shows the same, source ip address is the LAN IP of the SonicWall. Is this a configuration error in the fw? How do find the actual source ip address the traffic is being generated from?

Category: Entry Level Firewalls
Reply

Answers

  • MustafaAMustafaA SonicWall Employee

    @KyleL , are you using Log Automation on the firewall to receive Alerts, Logs or Health Check e-mails? Check the mail server settings on the firewall.

    image.png


  • KyleLKyleL Newbie ✭

    Log automation is not configured, Mail Server field is $null

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @KyleL to establish a baseline here, the traffic seen by your EXS originated from the Firewall is HTTPS (tcp/443) traffic, because it's OWA related, right?

    The only two reasons which come to my mind possibly causing this are:

    • NAT Rule which hides Source Address (Translated) behind X0 IP
    • Using Server DPI-SSL offloading the HTTPS connection, not sure about this because I don't use it

    --Michael@BWC

Sign In or Register to comment.