Inherited an srx240h2 and need some help with finding some bad traffic. Abuse complaints from the outbound NAT IP but I am having a hell of a time finding out what the actual source IP is behind the FW. I setup a policy to deny the busiest hosts and that broke something, so I had to remove it. I then created a policy locked down to the busiest host and a know good destination IPs. However when looking at the logs I still see traffic to IPs not on thee 'destination address' group. So how do I setup a policy locked down to destination IP? None of the destination IPs in the logging screenshot are specified in the policy so they should be dropped but I am not simply not seeing it.
And if someone can tell me an easy to identify bad traffic with no destination IP and no knowledge of what is behind it that would be super helpful. Assume I have no access to anything behind the firewall outside of a list of IPs.
No comments:
Post a Comment