Blocked China Mainland via geo ip, yet it still allowed it to get to the firewall

Comments

6 comments

  • Avatar
    Firewalla

    Need to understand your topology a bit.   From reading your notes, is it

    [PA Firewall] <--->[edge firewall?]<---> Firewalla 

    And you are detecting the China IP on the PA system or via Firewalla Alarms?

    Also, feel free to email us help@firewalla.com in case you want a faster reply. 

    1
    Comment actions Permalink
  • Avatar
    Christian Massie

    PA is the edge, Firewalla is internal. I allowed all traffic for a bit on the PA to test the Firewalla and see what all it could do, and it didn’t block the China IP. I detected it on the Firewalla as I allowed pass through.

    1
    Comment actions Permalink
  • Avatar
    Firewalla

    Couple quick questions

    1. How are you diverting traffic from your router to firewalla?  I assume you did a port forwarding of ssh, is that right?

    2. How did you see the attack traffic on the firewalla? is it via a sniffer outside firewalla, or inside?

    3. What is the IP address that's attacking? (we need to check the DB and see it is marked in our DB as china)

    1
    Comment actions Permalink
  • Avatar
    Christian Massie

    Traffic was diverted from the PA (router and firewall) to the Firewalla. Basically became a DMZ. Firewalla then became the only firewall. (This was a test to see if PA ever crashed or failed to block a source somehow that Firewalla would block it with geo ip.

    Attack traffic came through the Firewalla as a guessing SSH. Since I have no active log or anything from the Firewalla (and have not gone in and figured out how to push syslogs to my blade for historical data) all I saw was the alert about 20 to 30 mins after the original traffic began.

    The IP Address of the attacker was 49.88112.77. After completing the Whois it’s from the jiangsu province.

    1
    Comment actions Permalink
  • Avatar
    Support

    Hi Christian,

    We cannot really stop traffic from "reaching" Firewalla, but stopping it from going to your network is what we can do.

    You case is a little bit special as you set Firewalla in DMZ. We do have feature like inbound firewall implemented, but it's not ready for production and there's no UI for that. If you are willing to try, we can enable that for you manually. Write a mail to help@firewalla.com and there'll be people glad to help you :)

     

    1
    Comment actions Permalink
  • Avatar
    Christian Massie

    I will gladly do so now. Thank you. Also, the reason kept a lot of the problem here was to have a open discussion about problems we experience so the community can see if they experience something similar. That way folks see a list of current issues or things that are in progress. Really appreciate your time!

    1
    Comment actions Permalink

Please sign in to leave a comment.