Firewalla Gold - Notification - External Port Scan
Hello,
The firewalla does not notify of external port scans (it does for the internal network).
IMHO I believe this is a feature that would be beneficial as long as the notifications can be muted depending on source (Shodan scanning - setup by me and various other organizations that are known to scan for vulnerabilities).
Here is the link for an external blocked report. Please modify it to suit your MSP instance.
https://[your msp url/reports/10?filters=Status%3ABlocked+Direction%3AInbound+Network%3A[WAN_Name]&range=last-60-minutes&groupBy=ts%2Bblock%2Bsource%2Bdestination%2Bdomain%2BdestinationPort%2BblockType%2Bupload%2Bdownload%2Btotal%2Bcount&sortBy=count%3Adesc
Hopefully you will get a list of blocked connections - incoming aimed at your WAN interface along with a list of IP addresses, incoming ports and attempts per port.
Any IP address that has multiple entries across multiple ports should set off an alert (parameters to be defined by Firewalla based on their collective knowledge).
This would allow the MSP admin to be alerted to a determined organization or individual probing their network.
Just a thought.
Please sign in to leave a comment.
Comments
0 comments