topic Re: Threat logs from DNS Proxy zone not showing source IP in General Topics

Threat logs from DNS Proxy zone not showing source IP

averageTechnician — Tue, 09 Jul 2024 12:36:24 GMT

We use DNS Proxy on 3 of our zones with the firewall IP as the address that the traffic is proxied to. In other words, the firewall proxies the network traffic with it's own IP address.

However, in the threat logs, we have some threats that do not show the original source IP and instead show the firewall's IP as the source address, due to the proxy.

How can I get the true source IP?

Regards and thanks in advance,

AverageTechnician

Re: Threat logs from DNS Proxy zone not showing source IP

reaper — Wed, 10 Jul 2024 10:14:45 GMT

having sinkhole enabled will reveal the source IP as that will connect to the sinkhole IP address

to detect the malicious DNS looklup from the original client, you'd need to create a security rule from the source subnet to the proxy IP with security profiles enabled, so the original request is intercepted

Re: Threat logs from DNS Proxy zone not showing source IP

averageTechnician — Wed, 10 Jul 2024 14:31:21 GMT

I will go configure this and report back. Thank you very much, I thought nobody would respond.

I also read the second edition of your textbook and it was great when I got this job