Hey guys/girls,
This IP in Japan somewhere 126.77.206.4 has been logging onto our website for weeks now just pulling data. I started by banning it which produced thousands of logs per day like this and yet, if I remove the ban, there are log messages regardless.
Message meets Alert condition
date=2021-05-03 time=08:04:02 devname=fw60 devid=FWF60D4615005415 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1620043441 srcip=126.77.206.4 srcport=58645 srcintf="wan1" srcintfrole="wan" dstip=*.*.*.* dstport=443 dstintf="lan" dstintfrole="lan" poluuid="8ca8dda0-c324-51e5-f20f-668b3c09234d" sessionid=6458603 proto=6 action="deny" policyid=3 policytype="policy" service="HTTPS" dstcountry="Canada" srccountry="Japan" trandisp="dnat" tranip=*.*.*.* tranport=443 appcat="unknown" applist="default" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 crscore=30 craction=131072 crlevel="high"
I tried using our SIEM to glean some information but I can't "see" exactly what they're looking at. Is there anything I can do from the firewall perspective to get more information aside from what the "session" drilldown gives me?
Thanks
Roc
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.