Over 90,000 new connections in last 24 hours - LAN or Firewall trouble?

Posted on 2009-02-10
Last Modified: 2013-11-16
I have two Sonicwall 3500 devices configured with HA. Over the last few days we have been experiencing some strange activity from the firewall(s). Yesterday they kept failing back and forth to each other and would take the network down temporarily if the second one would fail back to the first before the first was finished rebooting from the previous failover.

Also, the CPU cores 1,2, and 3 all were spiking up to 100% utilization if IPS was enabled. I disabled IPS for a few minutes, manually rebooted both devices, enabled IPS, and now the network seems ok.

However, what seems odd to me is that I reset the statistics on the Network -> WAN Failover & LB screen 24 hours ago. Now it is showing that it has just over 90,000 new connections, and over 2 million total connections. I'm watching this number grow as I type this. I only have around 75 machines on my network, so both of these numbers seem extremely high as if something is inside my network doing bad things.

I have virus protection on all my machines inside, and two rounds of virus protection (external email spam/virus filter and the IPS & Gateway AV on the Sonicwalls) so I am not sure how anything could have gotten through.

Does anyone have any ideas to track down the To and From for all these connections? We are a small company and do not have netFlow monitoring capabilities or a ViewPoint license.
Question by:alan2938
    1 Comment
    LVL 4

    Accepted Solution

    You need to enable packet logging on the firewall to see what the traffic is.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
    Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now