Jump to content


Photo

Event ID 4000; FW Port Scan Detected


Best Answer Alexander Heiss, 14 March 2019 - 10:05 AM

The config you are searching for is under General Firewall Configuration -> Operational -> Port Scan Policy (In that case the Advanced View is not necessary)

 

Default is threshold 10 - Interval 60s = 10 blocked sessions within 60 secs will trigger an event.

 

In the real world/internet, a port scan is quite normal. So I config 200 within 60 secs. Because you cannot do much against this scans, but so you get only an event for a "big" scan.

Go to the full post


  • Please log in to reply
4 replies to this topic

#1 pronto007

pronto007
  • Members
  • 5 posts

Posted 14 March 2019 - 09:44 AM

Hi Community,

 

I'm trying to understand how it comes to a lot of Events, with the ID 4000, that wants to have a Port Scan detected and logs it as a notice. All machines that trigger this event are internal Windows and Apple Macintosh workstations. Is there a description of exactly what the firewall understands by a port scan? I know what a port scan is but I don't know what kind of behavior a workstation might cause to mistake for it. On the other hand, only 10 to 30 incidents per minute were registered (per each client), which is not very much and in my opinion far to little for an attack. I think the limit could at least be set to 100 or more per minute for the internal workstations.

 

Now I would like to understand what kind of normal behavior could cause the firewall to identify a Port Scan and where the limit value can be set?

I found a description for how to set the limit in another posting but it doesn't fit to my firewall Admin 8.0 anymore. I also found a description for version 8.0 in the Barracuda Campus page but there you can only enable or disable port scan detection:

 

---snip---

How to Configure Audit and Reporting
  1. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > General Firewall Configuration
  2. In the left menu, select Audit and Reporting.
  3. Expand the Configuration Mode menu and select Switch to Advanced View.
  4. Click Lock.

---snap---

 

Thanks you for your support in advance & Bye Tom

 


 



#2 Alexander Heiss

Alexander Heiss
  • Members
  • 55 posts
  • LocationInnsbruck - Austria

Posted 14 March 2019 - 10:05 AM   Best Answer

The config you are searching for is under General Firewall Configuration -> Operational -> Port Scan Policy (In that case the Advanced View is not necessary)

 

Default is threshold 10 - Interval 60s = 10 blocked sessions within 60 secs will trigger an event.

 

In the real world/internet, a port scan is quite normal. So I config 200 within 60 secs. Because you cannot do much against this scans, but so you get only an event for a "big" scan.



#3 pronto007

pronto007
  • Members
  • 5 posts

Posted 14 March 2019 - 10:29 AM

Servus Alexander,

 

I found the setting, thank you very much. I've now set it to 200 incidents per minute and I'm assuming it now doesn't add anything more to the background noise.
The Barracuda firewall should not get much unknown traffic from the internet side, because it is the inner of two firewalls and separates three internal networks from the DMZ. Towards the Internet there is another firewall as a NAT device. If a port scan from a public IP is logged on the Barracuda, we should have completely other concerns. On the other hand, we should also take an internal threat seriously, but in this specific issue I actually believe in a false positive detection. ;-)

 

Thx & Bye Tom



#4 Stefan Hora

Stefan Hora
  • Barracuda Guru
  • 141 posts

Posted 15 March 2019 - 01:12 PM

Hi,

a way to find the cause for the entry is to select a recent port-scan event and then filter in the FW History for the source IP of the port scan to see what the IP has done.

If it is from internal IP's, then mostly there are still old client apps/configs which try to connect or services/ports on the FW which don't exist anymore.

If it is from public IP's then it could be a response for a DNS request to the internet which arrives after the UDP-Session timeout (default 60s).

Stefan



#5 pronto007

pronto007
  • Members
  • 5 posts

Posted 18 March 2019 - 11:04 AM

Servus Stefan,

 

we currently have several internal networks and in one of them internet access is very limited. An investigation with your recommended procedure has shown several blocked connections, for example to Apple servers. This behavior would be expected, but I did not find any clear indication that these are the port scans detected by the Firewall.

 

By a port scan I don't understand blocked traffic on port 443 for example, but it could be ment, because the second explanation in the column Message: "High activity of unallowed access from [...]" suggests that this is indeed the case. Secondly, I don't find any other event in the history that would be available in such a high number that it could be relevant.

 

Is there a way to resolve the number of events that were summarized in the counter or to compare them chronologically to the other log file of the history?

 

http://media.prontosystems.org/v/bk/Barracuda_01.png.html

http://media.prontosystems.org/v/bk/Barracuda_02.png.html

 

BTW: Did I overlook the possibility to add pictures to the posting or is this only possible with linked content from an external hosting? I also got the following message when I wanted to link the pictures: "Youe have entered a link to a website that the administrator does not allow links to"

 

I'm just a little surprised and apologize for the uncomfortable handling of the screenshots.

 

Thx & Bye Tom