Website Blocking - External IP As Source

Azhar Wahid Lv1Posted 18 Mar 2024 09:49

Last edited by Azhar Wahid 18 Mar 2024 10:01.

Hai Sangforian,

We are using Sangfor NGAF, when generate report on Monitor>Logs>Security Logs(type: Website Access Blocking)

We notice source zone is external IP that trying to access block website. We understand if the source zone is internal IP is normal.

Can someone explain why source zone, external IP that trying to access block website and the destination is our internal IP.

Thank You

Christian Ni has solved this question and earned 20 coins.

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

The request appears to have come from a device outside of your network perimeter because the source zone is an external IP. The external IP is attempting to access a resource within your network since the destination is your internal IP. This situation usually arises when an external person or device tries to access a website or resource that your Sangfor NGAF firewall has prohibited or restricted. Your network is secure because the firewall is correctly recognizing the external IP as the source zone and preventing access to the internal IP.
Is this answer helpful?
jerome_itable Lv3Posted 25 Mar 2024 11:54
  
You're right, in a typical scenario, website access blocking logs from Sangfor NGAF should show an internal IP (source) trying to access a blocked website (destination). Here are some potential explanations for why you're seeing external IPs as the source:

    Forwarded Traffic:

    Your Sangfor NGAF might be configured as a reverse proxy. This means external traffic destined for specific internal web servers gets routed through Sangfor NGAF first. If the website accessed through this proxy is blocked, the logs might show the external source IP that originally requested the website, not the internal server's IP.

    VPN or Remote Access:

    If users are accessing your internal network through a VPN or remote desktop connection, their traffic might appear to originate from the external VPN endpoint's IP address. If they attempt to access a blocked website while connected remotely, the source zone would show the external VPN IP.

    DNS Spoofing or Man-in-the-Middle Attack (Less Likely):

    In a less likely scenario, an attacker might be trying to spoof their IP address or perform a man-in-the-middle attack. This would involve manipulating DNS records or network traffic to make it appear as if the blocked website access originated from an external IP.

Recommendations:

    Review Sangfor NGAF Configuration: Check if your Sangfor NGAF is configured as a reverse proxy for any internal web servers.
    Investigate VPN Usage: If you have a VPN setup, analyze logs to see if website access attempts coincide with VPN usage.
    Monitor for Suspicious Activity: While DNS spoofing is less common, keep an eye out for unusual access patterns or other signs of a potential attack.
Zonger Lv5Posted 19 Mar 2024 20:23
  
In Sangfor NGAF, when you generate a report under Monitor > Logs > Security Logs with the type set to "Website Access Blocking," you observe that the source zone is an external IP address attempting to access a blocked website. This is not unusual, as external IPs can also try to access websites that have been blocked by your security system.

The source zone being an external IP indicates that the request originated from a device outside your network perimeter. The destination refers to your internal IP, which means the external IP is trying to access a resource within your network. This scenario typically occurs when the external user or device is attempting to reach a website or resource that has been blocked or restricted by your Sangfor NGAF firewall. The firewall is correctly identifying the external IP as the source zone and blocking the access to the internal IP, ensuring the security of your network.
Newbie517762 Lv5Posted 19 Mar 2024 17:22
  
The NGAF is doing its job by preventing unauthorized access to your internal resources. The external IP attempting to access the blocked website is effectively thwarted by the firewall rules.

The NGAF is a powerful security solution that combines traditional firewall capabilities with intelligent detection and web application security. It’s designed to safeguard your network perimeter and protect against external threats.
pmateus Lv2Posted 19 Mar 2024 17:09
  
Hi,

This should too be related to some kind of threshold of traffic from an external ip to yours websites that is blocking the ip after many requests from same source ip.

Enrico Vanzetto Lv4Posted 19 Mar 2024 16:23
  
Hi, when you notice external IP addresses trying to reach blocked websites, with the target being internal IPs as seen in the Sangfor NGAF security logs, it’s likely a sign of attempted violations or unauthorized access originating from outside the organization’s network.
Typically, when an external IP attempts to access a website that redirects to an internal IP, it often indicates that your server is publicly hosted. Concurrently, hackers may frequently ping public IPs to identify which ones are hosting websites or services.
Tayyab0101 Lv2Posted 19 Mar 2024 14:37
  
hackers try to send spam message just to invoke.
check the users for VPN proxy usage
mdamores Posted 19 Mar 2024 13:55
  
Hi,

below are some scenario on why you could see internal IP on the blocking logs.

1. attackers often use IP spoofing to mask their identities when trying to access restricted resources
2. if users within your network are using proxy servers to access internet
3. if users are connected to your network via VPN, there is a possibility that the source zone will show internal IP when accessing blocked websites
Farina Ahmed Lv5Posted 19 Mar 2024 13:39
  
When observing external IP addresses attempting to access blocked websites with the destination being internal IPs in the Sangfor NGAF security logs, it likely indicates attempted breaches or unauthorized access originating from outside the organization network. This scenario could suggest potential cyber threats such as phishing attempts, malware infiltration, or unauthorized access attempts targeting internal resources.
Prosi Lv3Posted 19 Mar 2024 10:33
  
1. Add a new LDAP Server under the External Auth Server.
2. Enter the details such as Server Name, IP Address of the external authentication server, the admin account username and password and select the BaseDN. After entered all the details, click the Test Validity to check whether able to connect the external authentication server or not.
3. After tested the validity, a message will prompt out to show the result.
4. Click the Sync with all LDAP servers to sync all the data. Now, the configuration is successfully set.

I Can Help:

Change

Moderator on This Board

11
7
5

Started Topics

Followers

Follow

1
3
5

Started Topics

Followers

Follow

0
4
5

Started Topics

Followers

Follow

67
20
3

Started Topics

Followers

Follow

3
14
3

Started Topics

Followers

Follow

1
137
3

Started Topics

Followers

Follow

Board Leaders