If you want to confirm the 172.* device is in fact your ISPs router, you can hop in to your firewall and use ARP to see if that address is directly connected. The port scanning behavior is most likely device fingerprinting from the ISP to identify what kind of clients are connected on the network and their connected status. Based on your listed network setup I would hazard to say that the device that is doing the scanning is your ISPs Cisco router, which means it probably has it's own "management" subnet that its assigned itself to apart from your LAN which is common. Your 172.* address indicates that the source address is from a Cisco device. Please advise because I am a beginner in this field and the more I read guides, the more confusing it becomes. I am unable to find a rule that allows for scanning of incoming packets against port scan attacks. The network is set in the following order: ISP Router (also VPN client for other shops) Sophos XG Firewall (Bridge Mode) Switch LAN The plan is to isolate the least busy store and experiment with rules on that particular one and try to initiate port scans from there to see if the firewall will drop the packets or again it will be detected by the anti-virus solution once it gets in the LAN.
The company has almost 80 shops in my whole country and the port scans sometimes come from them too. Recently my company started receiving port scan attacks that are caught by Symantec Endpoint Protection, they all come from different IP addresses. because I am only able to work in a production environment. I am stuck with a problem I am unable to solve for almost 2 months now, 1.
0 kommentar(er)
