?
Solved

Sonciwall TZ100 Probalbe portscan: what to do?

Posted on 2014-07-28
2
Medium Priority
?
2,628 Views
Last Modified: 2014-07-30
Hi,

I'm overflooded with portscan messages on my Sonicwall TZ100 sn=0017C5A0F194 time=\\\"2014-07-28 13:24:01\\\" fw=82.93.44.x pri=1 c=32 m=83 msg=\\\"Probable port scan detected\\\" sess=None n=43 src=64.15.124.211:80:X1:cache.google.com dst=81.83.190.35:4938:X1 note=\\\"TCP scanned port list, 11261, 3059, 42527, 36803, 41109, 57745, 13935, 5063, 34779, 4938\\\"

Pls advise what to do.
J.
0
Comment
Question by:janhoedt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 32

Expert Comment

by:nappy_d
ID: 40225815
Have you purchased any of the add-on subscriptions? Especially the IPS(Intrusion Prevention Service)

http://help.mysonicwall.com/sw/eng/305/ui2/23100/Security_Services/Intrusion_Prevention.htm
0
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 40225837
looks like the source (64.15.124.211) is registered under youtube (and PTR @ cache.google.com), Sonicwall devices have a default action of dropping 'port scans' when detected. these are all high ports that should be denied by default.

However most of port scan are not attacks and are simple probes to determine services available on a remote machine. At times this log message "Possible port scan detected" appears in the case of false positives, which may occur if an application or user is legitimately connecting to several ports. This is just Detection, there would not be any drop for possible port scan detected, however Sonicwall will drop intensive Port Scan traffic.

If this is legit or expected then you can consider "disabling message "Possible port scan detected" in Logs" https://support.software.dell.com/sonicwall-e-class-nsa-series/kb/sw11594
0

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question