This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Wildfire Alert reporting source and destination NATs that aren't configured on associated firewalls

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Wildfire Alert reporting source and destination NATs that aren't configured on associated firewalls

jstcolorado
L1 Bithead

‎11-21-2016 03:03 PM

Greetings,

 

We've had several Wildfire Alerts that show both the source and destination addresses translated yet NAT is not configured.  For the subject data flow, the source is an external network for which we have no control.  The destination is our client.  The Alert shows that that the Source address is being translated to another address that is not under our control.  The destination address is shown as being translated to our firewall's address.  NAT is not configured for either situation in our PA firewalls.  Any ideas? 

 

Thanks!

1 person had this problem.
0 Likes Likes
2 REPLIES 2

santonic
L6 Presenter

‎11-21-2016 11:04 PM

Check the ports. TCP connection was probably in the other direction; from client to internet for which you have destination (hide) NAT. Like normal web browsing session goes.

0 Likes Likes

jstcolorado
L1 Bithead

‎11-22-2016 07:55 AM

The flow started with out client connecting via TCP 80 to an external web server.  The web server, in return, downloaded software to our client.  This thread is focused  on the server to client communication - Server [TCP-80] to client [61905].

 

The server IP is shown in the Wildfire Threat alert as being translated to another external IP.  The client is being shown as being translated to our firewalls IP.  What's interesting is that the client IP is also seen in PCAPs going to other Internet sites without address translation and we've  verified that we have no firewall configurations to translate the client IP.  The server IP was also seen in another Wildfire Threat Alert and the Alert specifies that it was translated to yet another address.  Here are the threat alerts that show the server IP being tranlated to two different addresses.  Note that I used ficticious addresses for the purpose of this exampbe

 

Threat Allert #1: medium: 1.1.1.1 ->2.2.2.2 Windows Executable

subtype: wildfire

category: malicious

direction: server-to-client

src: 1.1.1.1 (remote server)

dst: 2.2.2.2 (our client)

natsrc: 3.3.3.3 (??????)

natdst: 4.4.4.4 (Local PA firewall IP)

 

Threat Alert #2: medium: 1.1.1.1 -> 2.2.2.2 Windows Executable

subtype: wildfire

category: malicious

direction: server-to-client

src: 1.1.1.1 (same remote server)

dst: 2.2.2.2 (same client)

natsrc: 5.5.5.5 (server translated to a differnet IP this time)

natdst: 4.4.4.4 (Local PA firewall IP)

 

 

 

 

0 Likes Likes
  • 1768 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks