Hey guys/girls,

This IP in Japan somewhere 126.77.206.4  has been logging onto our website for weeks now just pulling data. I started by banning it which produced thousands of logs per day like this and yet, if I remove the ban, there are log messages regardless.

Message meets Alert condition

date=2021-05-03 time=08:04:02 devname=fw60 devid=FWF60D4615005415 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1620043441 srcip=126.77.206.4 srcport=58645 srcintf="wan1" srcintfrole="wan" dstip=*.*.*.* dstport=443 dstintf="lan" dstintfrole="lan" poluuid="8ca8dda0-c324-51e5-f20f-668b3c09234d" sessionid=6458603 proto=6 action="deny" policyid=3 policytype="policy" service="HTTPS" dstcountry="Canada" srccountry="Japan" trandisp="dnat" tranip=*.*.*.* tranport=443 appcat="unknown" applist="default" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 crscore=30 craction=131072 crlevel="high"

I tried using our SIEM to glean some information but I can't "see" exactly what they're looking at. Is there anything I can do from the firewall perspective to get more information aside from what the "session" drilldown gives me?

Thanks

Roc