F-Secure port scanning/try to connect to our network, how can we stop this?

stmarti

The ip address

217.110.97.196

217.110.97.197

217.110.97.199

etc.

continously try to connect to our network, trying to open random ports: 64946, 64947, 57208, 54954 etc.

These ip adresses maintaned by some German F-secure company. Obviously we drop all these connections.

 

How can we stop F-secure trying to penetrate our network?!

 

 

 

Ben

Hello Stmarti,

 

It looks like your clients are using ORSP function, but dropping some part of the communication. 

The packages sent from our ORSP servers might then be wrongly interpreted as port scan.

 

Please refer to this article to allow the necessary IP-range from your network.

 

stmarti

We are using only client security with policy manager. So we are not a subscriber for cloud security.

We are allowing outbound connections, this is not problem.

All of the clients and servers updating perfectly.

 

What is strange that packets comming from your update services as inbound connection attempts through the wan port.

So the f-secure update servers try to directly connect to our server, this should never happen.

 

Here is a sample log from the firewall:

09:27:31 firewall,info dropped input: in:ether1-gateway outnone), src-mac 00:25:2e:0e:33:77, proto TCP (RST), 217.110.97.202:80->[our fix wan ip address]:52668, len 40

 

 

 

 

Ben

Hello stmarti, 

ORSP is one of the many feature included in Client security.

 

As mentioned in the previously shared article : 

 

"The F-Secure Object Reputation Service Platform (ORSP) is a component in F-Secure's reputation technologies, and is hosted within the networks in the F-Secure network ranges listed above. HTTP access is required for these addresses."

 

You can try to temporarily disable ORSP as follows, to check that there is no actual port scan coming from our IP addresses.

In the Policy Manager console in advanced mode, in the Policy tab, go under F-secure Real-time Protection Network Client>Settings  and set both of the following settings to "no": "Participate in the real-time Protection Network" and "client is enable". Then distribute the policy to the affected clients.

 

Note that it is not advised to disable these settings for extended period of time as it hinders the products functionality. 

stmarti

FIXED

 

The suspicous incoming packets are RST or ACK/FYN, and related to already closed NAT connections, so the firewall consider them as invalid packtes.

 

I have run the orspdiag.exe, and seems everything normal.