We help IT Professionals succeed at work.

Firewall question

mfony
mfony asked
on
Can anyone tell me exactly what this message means?

Time
17:44.8

Priority
Alert

Category
Intrusion Prevention

Message
IPS Detection Alert: ICMP Destination Unreachable (Port Unreachable), SID: 310, Priority: Low

Source
10.0.7.147, 63210, X0, S-W8

Destination
10.0.200.201, 53, X5, M-201

The source is a workstation on my LAN. Is it trying to do something bad or is someone using it to do something bad?

Thanks for your help.
Comment
Watch Question

Mohammed KhawajaManager - Infrastructure:  Information Technology

Commented:
Nope, this message refers to if PING is not possible or ICMP is disabled.  Usually ICMP is enabled to ensure ping tests can be performed as well as monitoring systems can detect end-point availability.  Are you using any monitoring solution which might be trying to contact the destination device?  Security software such as NMAP, Nessus, etc. also uses PING.

Author

Commented:
I can ping the device without a problem. I don't use any monitoring solution. The server is connected to the network as a DFS device and workstations normally don't have any connection to it at all.
Principal Consultant
Commented:
Destination
10.0.200.201, 53, X5, M-201

Your workstation is scanning it's environment for available services, in this case it is looking for DNS on the destination server.

The detection in your firewall is an fyi as icmp discovery is used by many devices.  if you were to see this from a source you did not recognize that would be a flag worth investigating.

http://searchnetworking.techtarget.com/tip/ICMP-The-good-the-bad-and-the-ugly