Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

Real port scans or just responses for client initiated queries?

JoBreitJoBreit Newbie ✭
in Entry Level Firewalls

Hi

I am struggling with a problem on my TZ370.

We have a server on the internet (a Radicale CalDAV server which is a Python application) and all the PCs in our LAN (about 10) are querying this server about once a minute. The queries run through the FW and from there to a router and out to the internet.

Lately, the FW seems to have blocked the server connections. I inspected the log and found lots of alerts saying our server is doing port scans. Not knowing what to do I disabled IPS and restarted the FW. This seemed to have worked. But I still have these disquieting port scan alerts.

As you may suspect I am not an expert. But my impression is that the FW is misinterpreting ordinary server responses to client queries as server initiated connection attempts. This is because I also found similar port scan alerts (very few) for foreign servers coming from port 443. This looks like the response from a web server, right?

Is there anything I can do to research this problem further?
I.e.

  • where and what is SonicOS logging when it blocks a server completely?
  • how can I relax the control of my server so that the alerts stop and the server is not blocked?

Thank you for your contributions in advance!

Jo

Category: Entry Level Firewalls
Reply

Best Answer

  • CORRECT ANSWER
    ArkwrightArkwright Community Legend ✭✭✭✭✭
    Answer ✓

    This is because I also found similar port scan alerts (very few) for foreign servers coming from port 443. This looks like the response from a web server, right?

    Yes, I see a lot of this - port scans appearing to originate from what is obviously a "destination" port. I don't think SonicOS actually does anything proactive with port scans though, just logs them. So they're just noise.

Answers

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Read the discussions below:

    https://community.sonicwall.com/technology-and-support/discussion/comment/22565

    https://community.sonicwall.com/technology-and-support/discussion/5488/port-scan-detected-how-to-whitelist

    If disabling IPS fixed your problem, than IPS is the source of your issue. Add an exception to IPS for your 'trusted' server.

  • JoBreitJoBreit Newbie ✭

    Thank you for your help!

    I just did an experiment with the nping utility to verify that these port scans are ordinary server responses:

    I set up an nping server in echo mode on some machine on the internet. Then I set up an nping client in my LAN and sent 500 TCP packets with a rate of 200 per second to the server. The server echoes showed up as probable/possible port scans in the SonicOS log. Only the first 300 echoes reached the client, then -probably- the firewall shut down or blocked. Unfortunately I do not know how to see this on the TZ 370.

Sign In or Register to comment.