Christian Ni Lv1Posted 19 Mar 2024 23:02
  
The request appears to have come from a device outside of your network perimeter because the source zone is an external IP. The external IP is attempting to access a resource within your network since the destination is your internal IP. This situation usually arises when an external person or device tries to access a website or resource that your Sangfor NGAF firewall has prohibited or restricted. Your network is secure because the firewall is correctly recognizing the external IP as the source zone and preventing access to the internal IP.
jerome_itable Lv3Posted 25 Mar 2024 11:54
  
You're right, in a typical scenario, website access blocking logs from Sangfor NGAF should show an internal IP (source) trying to access a blocked website (destination). Here are some potential explanations for why you're seeing external IPs as the source:

    Forwarded Traffic:

    Your Sangfor NGAF might be configured as a reverse proxy. This means external traffic destined for specific internal web servers gets routed through Sangfor NGAF first. If the website accessed through this proxy is blocked, the logs might show the external source IP that originally requested the website, not the internal server's IP.

    VPN or Remote Access:

    If users are accessing your internal network through a VPN or remote desktop connection, their traffic might appear to originate from the external VPN endpoint's IP address. If they attempt to access a blocked website while connected remotely, the source zone would show the external VPN IP.

    DNS Spoofing or Man-in-the-Middle Attack (Less Likely):

    In a less likely scenario, an attacker might be trying to spoof their IP address or perform a man-in-the-middle attack. This would involve manipulating DNS records or network traffic to make it appear as if the blocked website access originated from an external IP.

Recommendations:

    Review Sangfor NGAF Configuration: Check if your Sangfor NGAF is configured as a reverse proxy for any internal web servers.
    Investigate VPN Usage: If you have a VPN setup, analyze logs to see if website access attempts coincide with VPN usage.
    Monitor for Suspicious Activity: While DNS spoofing is less common, keep an eye out for unusual access patterns or other signs of a potential attack.

I Can Help:

Change

Moderator on This Board

11
7
5

Started Topics

Followers

Follow

1
3
5

Started Topics

Followers

Follow

0
4
5

Started Topics

Followers

Follow

67
20
3

Started Topics

Followers

Follow

3
14
3

Started Topics

Followers

Follow

1
137
3

Started Topics

Followers

Follow

Board Leaders