Port scans on Sonicwall Firewall

Posted on 2006-03-27
Last Modified: 2013-11-16
We have several Sonicwalls and recently upgraded them to the latest firmware. Soon after the units began receiving a flood of port scans. Discussed with Sonicwall thinking there was a firmware problem, however they state there are no other customers with this problem and it may be a coincidence that the port scans occured around the time of the upgrade.

The situation is that there are many scans on a wide range of ports. Some of the IPs are legitimate web sites, some we cannot trace. I don't know all the applications running here and cannot determine what ports need to be open. Already know about the common ports and what they are used for, also know about the port lists available on the web.

Does anyone have any ideas on what to do about this situation? I was considering creating a rule to block port ranges and go from there.

Question by:alank2
    LVL 8

    Accepted Solution

    First of all make sure that port scans really exist by installing some free firewall
    or ZoneAlarm in a trial period or so. If that firewall also alerts you about scans,
    then you can be sure there's no doubt about port scans.

    After you are sure those scans are for real, try to create a list of ips from which
    you are being scanned, and post them here.
    LVL 2

    Assisted Solution

    If you are using a Sonicwall firewall then it's almost certainly blocking the port scans for you.

    However, you are correct to check them out.  Most firewalls get regular port scans from ranges of IP addresses, all mine get between 10 and 100 an hour.

    You do not mention the sonicwall firmware version, however, there have been several 'issues' on mis detection on sonicwalls in the past.  Including mis-alerting scans and smurf attacks, however, recently there has been less.

    You could place a 'insecure' computer on the public side of the sonicwall and run a packet sniffer like Ethereal.  This will allow you to look at the packet headers to prove the source.

    Blocking port ranges is fine, but were do you's a path I have been down and would not recommend.

    If you want to know if the scans are successful, try and run sheilds up.
    LVL 2

    Assisted Solution

    I also use a sonicwall i noticed that most of my reported port scans were from websites that i have blocked with the content filter and looking at the log by time a port scan would come right after a user had that website blocked if that is the case these are not true port scans but the website was contacted and is trying to finish comunicating with the user but since the sonicwall blocked the website  the sonicwall sees the action as a port scan.
    LVL 2

    Expert Comment

    It really sounds like a fault in the firmware....

    It only happens after an update?
    It only happens on blocked sites?
    Only after a block?

    Try blocking a ok site that you no works now.  If it says it's scanning, report it to Socinwall.

    You can unblock it as soon as it checks out.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    How to sign a powershell script so you can prevent tampering, and only allow users to run authorised Powershell scripts
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now