Website Blocking - External IP As Source

Azhar Wahid Lv1Posted 18 Mar 2024 09:49

Last edited by Azhar Wahid 18 Mar 2024 10:01.

Hai Sangforian,

We are using Sangfor NGAF, when generate report on Monitor>Logs>Security Logs(type: Website Access Blocking)

We notice source zone is external IP that trying to access block website. We understand if the source zone is internal IP is normal.

Can someone explain why source zone, external IP that trying to access block website and the destination is our internal IP.

Thank You

Christian Ni has solved this question and earned 20 coins.

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

The request appears to have come from a device outside of your network perimeter because the source zone is an external IP. The external IP is attempting to access a resource within your network since the destination is your internal IP. This situation usually arises when an external person or device tries to access a website or resource that your Sangfor NGAF firewall has prohibited or restricted. Your network is secure because the firewall is correctly recognizing the external IP as the source zone and preventing access to the internal IP.
Is this answer helpful?
AimanHakim Lv2Posted 18 Mar 2024 22:55
  
Last edited by AimanHakim 18 Mar 2024 23:57.

Hi, usually when external IP trying to access to a website that leads to internal ip usually means that your server hosted to the public. At the same time, hackers sometimes spam ping to public ip to find out which of them is hosting web or services. This is to plant botnet to extract data in most cases when hackers do.
Prosi Lv3Posted 19 Mar 2024 10:33
  
1. Add a new LDAP Server under the External Auth Server.
2. Enter the details such as Server Name, IP Address of the external authentication server, the admin account username and password and select the BaseDN. After entered all the details, click the Test Validity to check whether able to connect the external authentication server or not.
3. After tested the validity, a message will prompt out to show the result.
4. Click the Sync with all LDAP servers to sync all the data. Now, the configuration is successfully set.
Farina Ahmed Lv5Posted 19 Mar 2024 13:39
  
When observing external IP addresses attempting to access blocked websites with the destination being internal IPs in the Sangfor NGAF security logs, it likely indicates attempted breaches or unauthorized access originating from outside the organization network. This scenario could suggest potential cyber threats such as phishing attempts, malware infiltration, or unauthorized access attempts targeting internal resources.
mdamores Posted 19 Mar 2024 13:55
  
Hi,

below are some scenario on why you could see internal IP on the blocking logs.

1. attackers often use IP spoofing to mask their identities when trying to access restricted resources
2. if users within your network are using proxy servers to access internet
3. if users are connected to your network via VPN, there is a possibility that the source zone will show internal IP when accessing blocked websites
Tayyab0101 Lv2Posted 19 Mar 2024 14:37
  
hackers try to send spam message just to invoke.
check the users for VPN proxy usage
Enrico Vanzetto Lv4Posted 19 Mar 2024 16:23
  
Hi, when you notice external IP addresses trying to reach blocked websites, with the target being internal IPs as seen in the Sangfor NGAF security logs, it’s likely a sign of attempted violations or unauthorized access originating from outside the organization’s network.
Typically, when an external IP attempts to access a website that redirects to an internal IP, it often indicates that your server is publicly hosted. Concurrently, hackers may frequently ping public IPs to identify which ones are hosting websites or services.
pmateus Lv2Posted 19 Mar 2024 17:09
  
Hi,

This should too be related to some kind of threshold of traffic from an external ip to yours websites that is blocking the ip after many requests from same source ip.

Newbie517762 Lv5Posted 19 Mar 2024 17:22
  
The NGAF is doing its job by preventing unauthorized access to your internal resources. The external IP attempting to access the blocked website is effectively thwarted by the firewall rules.

The NGAF is a powerful security solution that combines traditional firewall capabilities with intelligent detection and web application security. It’s designed to safeguard your network perimeter and protect against external threats.
Zonger Lv5Posted 19 Mar 2024 20:23
  
In Sangfor NGAF, when you generate a report under Monitor > Logs > Security Logs with the type set to "Website Access Blocking," you observe that the source zone is an external IP address attempting to access a blocked website. This is not unusual, as external IPs can also try to access websites that have been blocked by your security system.

The source zone being an external IP indicates that the request originated from a device outside your network perimeter. The destination refers to your internal IP, which means the external IP is trying to access a resource within your network. This scenario typically occurs when the external user or device is attempting to reach a website or resource that has been blocked or restricted by your Sangfor NGAF firewall. The firewall is correctly identifying the external IP as the source zone and blocking the access to the internal IP, ensuring the security of your network.

I Can Help:

Change

Moderator on This Board

11
7
5

Started Topics

Followers

Follow

1
3
5

Started Topics

Followers

Follow

0
4
5

Started Topics

Followers

Follow

67
20
3

Started Topics

Followers

Follow

3
14
3

Started Topics

Followers

Follow

1
137
3

Started Topics

Followers

Follow

Board Leaders