Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

critical alert in SIEM

jtuckerchugjtuckerchug Newbie ✭
edited July 2022 in High End Firewalls

hello. i have a SIEM software that gets syslog data from a sonicwall 5650. i have GEOIP enabled. i see "attacks" registered from Brazil. if Brazil is blocked, shouldn't these events not even show up and just get dropped? or is this logging showing the drop? thanks.

2022-07-29_9-34-35-redacted.png


Category: High End Firewalls
Reply

Best Answers

  • CORRECT ANSWER
    jgrimesjgrimes SonicWall Employee
    Answer ✓

    Hi,

    Think of of this way. The firewall can't drop it until it arrives at the firewall. If you have logging enabled on Geo-IP, you would see an entry stating that it dropped an IP from a blocked country. Same goes for your SIEM I would expect.

    Jim

  • CORRECT ANSWER
    TKWITSTKWITS Community Legend ✭✭✭✭✭
    Answer ✓

    To expand what JGRIMES said:

    What you are seeing is what the IPS engine is reporting as evidenced by the 'description'. Technically, an echo-reply is not an 'attack', the IPS engine is just identifying it as such. You can either configure the Sonicwall IPS feature to not log echo-reply's as attacks, or tell the SIEM to ignore similar reports.

Sign In or Register to comment.