08-14-2014 12:52 PM
Hello Team,
We got the below threat alert from the panorama and not able to understand the most of the part , like source and Destination . Both IP looks the outside my network but still its showing the rule: Outbound_Default_URL_IPS . One of my outbound policy with threat prevention rule. Can any one please explain me this .
Wondering How can an external IP be the source IP on an internal interface of the firewall?
THREAT ALERT : high : 169.254.254.238 -> 169.254.255.255 Microsoft Windows NAT Helper DNS Query Denial of Service(31339) alert
domain: 1
receive_time: 2014/08/13 03:10:35
serial: 001801004403
seqno: 30536660
actionflags: 0x0
type: THREAT
subtype: vulnerability
config_ver: 1
time_generated: 2014/08/13 03:10:30
src: 169.254.254.238
dst: 169.254.255.255
natsrc:
natdst:
rule: Outbound_Default_URL_IPS
srcuser:
dstuser:
srcloc: 169.254.0.0-169.254.255.255
dstloc: 169.254.0.0-169.254.255.255
app: dns
vsys: vsys1
from: trust
to: untrust
inbound_if: ethernet1/2
outbound_if: ethernet1/1
logset: Panorama
time_received: 2014/08/13 03:10:34
sessionid: 7567
repeatcnt: 1
sport: 53
dport: 53
natsport: 0
natdport: 0
flags: 0x80000000
proto: udp
action: alert
cpadding: 0
threatid: Microsoft Windows NAT Helper DNS Query Denial of Service(31339)
category: any
contenttype:
behavior: 0x0400000000000000000000000000000000000000000000000000000000000000
severity: high
direction: client-to-server
misc:
