F-Secure port scanning/try to connect to our network, how can we stop this?

stmarti
stmarti W/ Alumni Posts: 27 Security Scout

The ip address

217.110.97.196

217.110.97.197

217.110.97.199

etc.

continously try to connect to our network, trying to open random ports: 64946, 64947, 57208, 54954 etc.

These ip adresses maintaned by some German F-secure company. Obviously we drop all these connections.

 

How can we stop F-secure trying to penetrate our network?!

 

 

 

Comments

  • Ben
    Ben W/ Alumni Posts: 664 Cybercrime Crusader

    Hello Stmarti,

     

    It looks like your clients are using ORSP function, but dropping some part of the communication. 

    The packages sent from our ORSP servers might then be wrongly interpreted as port scan.

     

    Please refer to this article to allow the necessary IP-range from your network.

     

  • stmarti
    stmarti W/ Alumni Posts: 27 Security Scout

    We are using only client security with policy manager. So we are not a subscriber for cloud security.

    We are allowing outbound connections, this is not problem.

    All of the clients and servers updating perfectly.

     

    What is strange that packets comming from your update services as inbound connection attempts through the wan port.

    So the f-secure update servers try to directly connect to our server, this should never happen.

     

    Here is a sample log from the firewall:

    09:27:31 firewall,info dropped input: in:ether1-gateway outSmiley Sadnone), src-mac 00:25:2e:0e:33:77, proto TCP (RST), 217.110.97.202:80->[our fix wan ip address]:52668, len 40

     

     

     

     

  • stmarti
    stmarti W/ Alumni Posts: 27 Security Scout

    FIXED

     

    The suspicous incoming packets are RST or ACK/FYN, and related to already closed NAT connections, so the firewall consider them as invalid packtes.

     

    I have run the orspdiag.exe, and seems everything normal.

     

     

     

     

This discussion has been closed.