benhar
asked on
Firewall event log showing alarm events.
I've never really paid much attention to the logs and alarm events on my firewall (save the scolding), but recently I cleared the alarm status to see when it might trigger again. It has and these are the events shown:
2007-11-19 08:58:26 system alert 00017 ip sweep, From 68.81.209.249 to xx.xx.xx.xxx, using protocol 1 (on zone Untrust,interface ethernet3) occurred 1 times
2007-11-15 13:52:32 system alert 00017 ip sweep, From 68.81.209.249 to xx.xx.xx.xxx, using protocol 1 (on zone Untrust,interface ethernet3) occurred 1 times
2007-11-14 12:20:09 system alert 00016 Port Scan Attempt, From 69.26.185.131/80 to xx.xx.xx.xxx/1848, using protocol TCP (on zone Untrust,interface ethernet3) occurred 1 times
2007-11-14 12:18:56 system alert 00016 Port Scan Attempt, From 69.26.185.131/80 to xx.xx.xx.xxx/1870, using protocol TCP (on zone Untrust,interface ethernet3) occurred 1 times
2007-11-14 10:18:43 system alert 00017 ip sweep, From 68.81.209.249 to xx.xx.xx.xxx, using protocol 1 (on zone Untrust,interface ethernet3) occurred 1 times
The xx.xx.xx.xxx are external-facing IPs I have.
Are these something to be concerned about? I have not notice any abnormal activity or problems within my network, but just curoius what might be going on.
2007-11-19 08:58:26 system alert 00017 ip sweep, From 68.81.209.249 to xx.xx.xx.xxx, using protocol 1 (on zone Untrust,interface ethernet3) occurred 1 times
2007-11-15 13:52:32 system alert 00017 ip sweep, From 68.81.209.249 to xx.xx.xx.xxx, using protocol 1 (on zone Untrust,interface ethernet3) occurred 1 times
2007-11-14 12:20:09 system alert 00016 Port Scan Attempt, From 69.26.185.131/80 to xx.xx.xx.xxx/1848, using protocol TCP (on zone Untrust,interface ethernet3) occurred 1 times
2007-11-14 12:18:56 system alert 00016 Port Scan Attempt, From 69.26.185.131/80 to xx.xx.xx.xxx/1870, using protocol TCP (on zone Untrust,interface ethernet3) occurred 1 times
2007-11-14 10:18:43 system alert 00017 ip sweep, From 68.81.209.249 to xx.xx.xx.xxx, using protocol 1 (on zone Untrust,interface ethernet3) occurred 1 times
The xx.xx.xx.xxx are external-facing IPs I have.
Are these something to be concerned about? I have not notice any abnormal activity or problems within my network, but just curoius what might be going on.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
now that you have the ISP, find the way to contact them. they usually have an abuse line. report that IP to them and get the log of your firewall with that IP address and email that to them too. They will most likely cancel that IP.
also, if your firewall allows it, block that specific IP address or create a Deny rule for that IP address.
your firewall is doing its job which is a good thing, i suggest you make it a habit to check your firewall daily.
also, if your firewall allows it, block that specific IP address or create a Deny rule for that IP address.
your firewall is doing its job which is a good thing, i suggest you make it a habit to check your firewall daily.
ASKER
Thanks for the help!
ASKER
The IP was traced to Toms River, NJ, but had no name, just an ISP. What more could I do?