Port scans on Sonicwall Firewall

We have several Sonicwalls and recently upgraded them to the latest firmware. Soon after the units began receiving a flood of port scans. Discussed with Sonicwall thinking there was a firmware problem, however they state there are no other customers with this problem and it may be a coincidence that the port scans occured around the time of the upgrade.

The situation is that there are many scans on a wide range of ports. Some of the IPs are legitimate web sites, some we cannot trace. I don't know all the applications running here and cannot determine what ports need to be open. Already know about the common ports and what they are used for, also know about the port lists available on the web.

Does anyone have any ideas on what to do about this situation? I was considering creating a rule to block port ranges and go from there.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

First of all make sure that port scans really exist by installing some free firewall
or ZoneAlarm in a trial period or so. If that firewall also alerts you about scans,
then you can be sure there's no doubt about port scans.

After you are sure those scans are for real, try to create a list of ips from which
you are being scanned, and post them here.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
If you are using a Sonicwall firewall then it's almost certainly blocking the port scans for you.

However, you are correct to check them out.  Most firewalls get regular port scans from ranges of IP addresses, all mine get between 10 and 100 an hour.

You do not mention the sonicwall firmware version, however, there have been several 'issues' on mis detection on sonicwalls in the past.  Including mis-alerting scans and smurf attacks, however, recently there has been less.

You could place a 'insecure' computer on the public side of the sonicwall and run a packet sniffer like Ethereal.  This will allow you to look at the packet headers to prove the source.

Blocking port ranges is fine, but were do you stop....it's a path I have been down and would not recommend.

If you want to know if the scans are successful, try www.grc.com and run sheilds up.
I also use a sonicwall i noticed that most of my reported port scans were from websites that i have blocked with the content filter and looking at the log by time a port scan would come right after a user had that website blocked if that is the case these are not true port scans but the website was contacted and is trying to finish comunicating with the user but since the sonicwall blocked the website  the sonicwall sees the action as a port scan.
It really sounds like a fault in the firmware....

It only happens after an update?
It only happens on blocked sites?
Only after a block?

Try blocking a ok site that you no works now.  If it says it's scanning, report it to Socinwall.

You can unblock it as soon as it checks out.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.