Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 842
  • Last Modified:

Port scans on Sonicwall Firewall

We have several Sonicwalls and recently upgraded them to the latest firmware. Soon after the units began receiving a flood of port scans. Discussed with Sonicwall thinking there was a firmware problem, however they state there are no other customers with this problem and it may be a coincidence that the port scans occured around the time of the upgrade.

The situation is that there are many scans on a wide range of ports. Some of the IPs are legitimate web sites, some we cannot trace. I don't know all the applications running here and cannot determine what ports need to be open. Already know about the common ports and what they are used for, also know about the port lists available on the web.

Does anyone have any ideas on what to do about this situation? I was considering creating a rule to block port ranges and go from there.

  • 2
3 Solutions
First of all make sure that port scans really exist by installing some free firewall
or ZoneAlarm in a trial period or so. If that firewall also alerts you about scans,
then you can be sure there's no doubt about port scans.

After you are sure those scans are for real, try to create a list of ips from which
you are being scanned, and post them here.
If you are using a Sonicwall firewall then it's almost certainly blocking the port scans for you.

However, you are correct to check them out.  Most firewalls get regular port scans from ranges of IP addresses, all mine get between 10 and 100 an hour.

You do not mention the sonicwall firmware version, however, there have been several 'issues' on mis detection on sonicwalls in the past.  Including mis-alerting scans and smurf attacks, however, recently there has been less.

You could place a 'insecure' computer on the public side of the sonicwall and run a packet sniffer like Ethereal.  This will allow you to look at the packet headers to prove the source.

Blocking port ranges is fine, but were do you stop....it's a path I have been down and would not recommend.

If you want to know if the scans are successful, try www.grc.com and run sheilds up.
I also use a sonicwall i noticed that most of my reported port scans were from websites that i have blocked with the content filter and looking at the log by time a port scan would come right after a user had that website blocked if that is the case these are not true port scans but the website was contacted and is trying to finish comunicating with the user but since the sonicwall blocked the website  the sonicwall sees the action as a port scan.
It really sounds like a fault in the firmware....

It only happens after an update?
It only happens on blocked sites?
Only after a block?

Try blocking a ok site that you no works now.  If it says it's scanning, report it to Socinwall.

You can unblock it as soon as it checks out.


Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now