Blocked China Mainland via geo ip, yet it still allowed it to get to the firewall
Need to understand your topology a bit. From reading your notes, is it
[PA Firewall] <--->[edge firewall?]<---> Firewalla
And you are detecting the China IP on the PA system or via Firewalla Alarms?
Also, feel free to email us firstname.lastname@example.org in case you want a faster reply.
Couple quick questions
1. How are you diverting traffic from your router to firewalla? I assume you did a port forwarding of ssh, is that right?
2. How did you see the attack traffic on the firewalla? is it via a sniffer outside firewalla, or inside?
3. What is the IP address that's attacking? (we need to check the DB and see it is marked in our DB as china)
Traffic was diverted from the PA (router and firewall) to the Firewalla. Basically became a DMZ. Firewalla then became the only firewall. (This was a test to see if PA ever crashed or failed to block a source somehow that Firewalla would block it with geo ip.
Attack traffic came through the Firewalla as a guessing SSH. Since I have no active log or anything from the Firewalla (and have not gone in and figured out how to push syslogs to my blade for historical data) all I saw was the alert about 20 to 30 mins after the original traffic began.
The IP Address of the attacker was 49.88112.77. After completing the Whois it’s from the jiangsu province.
We cannot really stop traffic from "reaching" Firewalla, but stopping it from going to your network is what we can do.
You case is a little bit special as you set Firewalla in DMZ. We do have feature like inbound firewall implemented, but it's not ready for production and there's no UI for that. If you are willing to try, we can enable that for you manually. Write a mail to email@example.com and there'll be people glad to help you :)
I will gladly do so now. Thank you. Also, the reason kept a lot of the problem here was to have a open discussion about problems we experience so the community can see if they experience something similar. That way folks see a list of current issues or things that are in progress. Really appreciate your time!
Please sign in to leave a comment.