Over 90,000 new connections in last 24 hours - LAN or Firewall trouble?
Posted on 2009-02-10
I have two Sonicwall 3500 devices configured with HA. Over the last few days we have been experiencing some strange activity from the firewall(s). Yesterday they kept failing back and forth to each other and would take the network down temporarily if the second one would fail back to the first before the first was finished rebooting from the previous failover.
Also, the CPU cores 1,2, and 3 all were spiking up to 100% utilization if IPS was enabled. I disabled IPS for a few minutes, manually rebooted both devices, enabled IPS, and now the network seems ok.
However, what seems odd to me is that I reset the statistics on the Network -> WAN Failover & LB screen 24 hours ago. Now it is showing that it has just over 90,000 new connections, and over 2 million total connections. I'm watching this number grow as I type this. I only have around 75 machines on my network, so both of these numbers seem extremely high as if something is inside my network doing bad things.
I have virus protection on all my machines inside, and two rounds of virus protection (external email spam/virus filter and the IPS & Gateway AV on the Sonicwalls) so I am not sure how anything could have gotten through.
Does anyone have any ideas to track down the To and From for all these connections? We are a small company and do not have netFlow monitoring capabilities or a ViewPoint license.