This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Unusually Large Pings Detected by Firewall Monitoring. Any Ideas?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Unusually Large Pings Detected by Firewall Monitoring. Any Ideas?

DanielC_LCC
L1 Bithead

‎08-01-2021 09:12 PM

Hi All,

 

We are running Panorama 8.1 (Has been upgraded to 9.1.10 since the issue occurred). The Firewall itself is a 3260 running 9.1.4

We have seen a few instances in the past 3 months where a session has been detected by the Firewall that shows a simple ping has been sent from our monitoring servers (We have two which are running completely different products on each) to a Network device (Cisco Switches and Routers). What is unusual about this is the amount of data that is either being sent or received as part of this ping. See image for our Solarwinds below. In one instance 300+MB was transferred. The data transfer during each session is not equal. In the first entry the sending device only transfers 60Bytes and receives over 300MB. Sometimes it is the other way around. 

Monitoring.JPG

 

I have ruled out extended pings (ping -t). The firewall shows these as a series of pings not a single event. I have also checked log files on the Cisco network devices and on the monitoring boxes. Nothing immediately stands out.

 

Has anyone seen this before or have any ideas.

 

Thanks

0 Likes Likes
5 REPLIES 5

Remo
L7 Applicator

‎08-01-2021 10:52 PM

Hi @DanielC_LCC 

Is the destination an internsl IP? What was the start time of that session and how many packets were transfere?

So far I assume this is a monitoring ping to a device in your network which was running for weeks already. Now that the session ended the bytes of all these pings were added together and result in these numbers that you see.

0 Likes Likes

DanielC_LCC
L1 Bithead
In response to Remo

‎08-01-2021 11:04 PM

Hi @Remo 

Yes it is an internal IP. The start time was 15:37.  Yes it is a monitoring ping that runs every 15 seconds. I do not believe it was a series of pings added together as we are only seeing one packet sent with 334000 sent back? Also 4 pings a minute for half an hour should not equate to 300+MB.

Details.JPG

 

Thanks

0 Likes Likes

Remo
L7 Applicator
In response to DanielC_LCC

‎08-01-2021 11:46 PM

This IP where the ping is sent to, is this IP even active or is it a device that no longer exist?

0 Likes Likes

Remo
L7 Applicator
In response to Remo

‎08-02-2021 12:14 AM - edited ‎08-02-2021 12:14 AM

Do you allow ping in both directions?

0 Likes Likes

DanielC_LCC
L1 Bithead
In response to Remo

‎08-03-2021 03:11 PM

Yes we do.

0 Likes Likes
  • 3037 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks