Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Unwanted traffic was seeing in firewall

DarshilDarshil Newbie ✭
edited September 2020 in High End Firewalls

We have not allowed internet traffic in firewall for below IP address i.e 192.168.101.51. But still in logs we are seeing traffic was allowed from below IP address to outbound over port 443 and getting application control detection alert. As per my knowledge if lan to wan traffic is deny then firewall should not scan security services. But still in logs we are getting below details.

I just wanted to know is this a normal behaviour..??


@shiprasahu93 @Poorni_5 @Nevyaditha @Saravanan @Vigneshkumar_S

Category: High End Firewalls
Reply

Answers

  • Hello @Darshil,

    This seems like a return traffic for HTTPS traffic initiated from 110.227.248.39. Do you have any port forwarding created for the internal address 192.168.101.51 on HTTPS?

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • DarshilDarshil Newbie ✭

    Yes we have a port open for 192.168.101.51 on port 443

  • shiprasahu93shiprasahu93 Moderator
    edited September 2020

    Understood. So, you can see in the source host name, it shows the source port to be 443. Hence, this is a reply packet to the inbound connection made from outside. The internal IP itself is not initiating the connection which is how the configuration is made on the firewall.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • DarshilDarshil Newbie ✭
    edited September 2020

    Hi @shiprasahu93

    We are getting below logs also in sonicwall firewall. We are only hosted netbanking websites on server 192.168.101.51 and configured inbound nat policy over 443 to access those netbanking websites from outside network.But in logs if you see application control detection error are showing for signature 'proxy access encrypted key exchange' which is generally detected for skype , ultrasurf traffic.


    I just wanted to know Why firewall is detect traffic for such signature.



  • Hello @Darshil,

    To be honest with you this signature is the most generic and I have it being triggered in other situations as well. If you have authentication on those websites, it is probably being shown up due to that.

    You can read more about it at the link below

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

Sign In or Register to comment.