08-25-2023 10:01 AM
I have seen unusual traffic in the Firewall.
A lot of sessions are generated from an interface (inside) to the IP Address 5.5.5.5 to the outside interface.
I would like to know what process or the reason to the Firewall generated this traffic.
I check the NAT Route and I don't have to configure something like that.
I am a little bit worried, I don't know if it is possible to a malware or something like that.
08-25-2023 12:31 PM
Hi @Oscarresendiz ,
It looks like the 5.5.5.5 address is registered in Germany by using public IP address lookups. I would review which security policy is allowing that connection out, review which port/protocol it is using, when the traffic started, and as well as which internal source IP address is reaching out to 5.5.5.5.
08-26-2023 11:36 PM
Behind this IP it does not look like that there is very much useful things behind it. At least when you check virustotal for it ( https://www.virustotal.com/gui/ip-address/5.5.5.5/relations ).
In addition to the things to check mentionned by @JayGolf, which application do you see in the logs and are there bytes received?
08-28-2023 07:16 PM
If you have DNS security you can enable sinkhold to verify if your host is requesting connect to a bad server.
Can you share the traffic and threat logs?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
