Wildfire Alert reporting source and destination NATs that aren't configured on associated firewalls

Reply
jstcolorado
L1 Bithead

Wildfire Alert reporting source and destination NATs that aren't configured on associated firewalls

Greetings,

 

We've had several Wildfire Alerts that show both the source and destination addresses translated yet NAT is not configured.  For the subject data flow, the source is an external network for which we have no control.  The destination is our client.  The Alert shows that that the Source address is being translated to another address that is not under our control.  The destination address is shown as being translated to our firewall's address.  NAT is not configured for either situation in our PA firewalls.  Any ideas? 

 

Thanks!

santonic
L5 Sessionator

Check the ports. TCP connection was probably in the other direction; from client to internet for which you have destination (hide) NAT. Like normal web browsing session goes.

jstcolorado
L1 Bithead

The flow started with out client connecting via TCP 80 to an external web server.  The web server, in return, downloaded software to our client.  This thread is focused  on the server to client communication - Server [TCP-80] to client [61905].

 

The server IP is shown in the Wildfire Threat alert as being translated to another external IP.  The client is being shown as being translated to our firewalls IP.  What's interesting is that the client IP is also seen in PCAPs going to other Internet sites without address translation and we've  verified that we have no firewall configurations to translate the client IP.  The server IP was also seen in another Wildfire Threat Alert and the Alert specifies that it was translated to yet another address.  Here are the threat alerts that show the server IP being tranlated to two different addresses.  Note that I used ficticious addresses for the purpose of this exampbe

 

Threat Allert #1: medium: 1.1.1.1 ->2.2.2.2 Windows Executable

subtype: wildfire

category: malicious

direction: server-to-client

src: 1.1.1.1 (remote server)

dst: 2.2.2.2 (our client)

natsrc: 3.3.3.3 (??????)

natdst: 4.4.4.4 (Local PA firewall IP)

 

Threat Alert #2: medium: 1.1.1.1 -> 2.2.2.2 Windows Executable

subtype: wildfire

category: malicious

direction: server-to-client

src: 1.1.1.1 (same remote server)

dst: 2.2.2.2 (same client)

natsrc: 5.5.5.5 (server translated to a differnet IP this time)

natdst: 4.4.4.4 (Local PA firewall IP)

 

 

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!