Watchguard Firewall - Any Experts..?
I've been having an issue with hosts losing Internet Connectivity whilst connected behind a Watchguard firewall off one of the interfaces. I have discovered that the loss of connection happens when the logs start firing up these messages. There are a lot more with different IPs, but you get the idea.
Does anyone know what the port=7 and port=9 correspond to? These are not the Interfaces on the watchguard, as the go up 0, 1, 2, 3, 4, 5, 6, 7, and only 0 through to 5 are used. Also when tracing the MAC addresses, they are not related to any switch ports...
Anyone got experience of Watchguards?
2013-10-02 15:22:50 firewall ARP spoofing attack!ip=172.27.100.7 mac=00:1f:12:2d:61:81 port=7 id="0000-0000"
Event
2013-10-02 15:22:51 firewall ARP spoofing attack!ip=172.27.100.7 mac=00:1f:12:2d:61:81 port=9 id="0000-0000"
Event
2013-10-02 15:22:51 firewall ARP spoofing attack!ip=172.27.103.17 mac=90:b1:1c:92:47:24 port=9 id="0000-0000"
Event
2013-10-02 15:22:51 firewall ARP spoofing attack!ip=172.27.103.17 mac=90:b1:1c:92:47:24 port=7 id="0000-0000"
Event
2013-10-02 15:22:51 firewall ARP spoofing attack!ip=172.27.103.126 mac=b8:ca:3a:7c:ed:a1 port=7 id="0000-0000"
Event
2013-10-02 15:22:51 firewall ARP spoofing attack!ip=172.27.102.171 mac=90:b1:1c:79:e7:e4 port=7 id="0000-0000"
Event
2013-10-02 15:22:51 firewall ARP spoofing attack!ip=172.27.102.171 mac=90:b1:1c:79:e7:e4 port=9 id="0000-0000"
Event
2013-10-02 15:22:51 firewall ARP spoofing attack!ip=172.27.100.7 mac=00:1f:12:2d:61:81 port=7 id="0000-0000"
Event
Does anyone know what the port=7 and port=9 correspond to? These are not the Interfaces on the watchguard, as the go up 0, 1, 2, 3, 4, 5, 6, 7, and only 0 through to 5 are used. Also when tracing the MAC addresses, they are not related to any switch ports...
Anyone got experience of Watchguards?
2013-10-02 15:22:50 firewall ARP spoofing attack!ip=172.27.100.7 mac=00:1f:12:2d:61:81 port=7 id="0000-0000"
Event
2013-10-02 15:22:51 firewall ARP spoofing attack!ip=172.27.100.7 mac=00:1f:12:2d:61:81 port=9 id="0000-0000"
Event
2013-10-02 15:22:51 firewall ARP spoofing attack!ip=172.27.103.17 mac=90:b1:1c:92:47:24 port=9 id="0000-0000"
Event
2013-10-02 15:22:51 firewall ARP spoofing attack!ip=172.27.103.17 mac=90:b1:1c:92:47:24 port=7 id="0000-0000"
Event
2013-10-02 15:22:51 firewall ARP spoofing attack!ip=172.27.103.126 mac=b8:ca:3a:7c:ed:a1 port=7 id="0000-0000"
Event
2013-10-02 15:22:51 firewall ARP spoofing attack!ip=172.27.102.171 mac=90:b1:1c:79:e7:e4 port=7 id="0000-0000"
Event
2013-10-02 15:22:51 firewall ARP spoofing attack!ip=172.27.102.171 mac=90:b1:1c:79:e7:e4 port=9 id="0000-0000"
Event
2013-10-02 15:22:51 firewall ARP spoofing attack!ip=172.27.100.7 mac=00:1f:12:2d:61:81 port=7 id="0000-0000"
Event
Comments
-
TechGuy215
Member Posts: 404 ■■■■□□□□□□
I know port 7 is used for UDP Echo. It is typically used to trouble-shoot remote TCP/IP stacks. Port 9 is used for TCP discard, typically used for trouble-shooting local stack’s transmit ability. Basically allows you to acknowledge that host is alive and processing packets.
Port 7 does have a the possibility of being attacked via DOS. Attackers use it to relay flooding data. If relayed to a network broadcast, entire subnet can flood. Any data sent can flood, but looping data output can create deadly streaming floods. Port 7 doesn't really post any threats.
I would disable/block ports 7 and 9, then see if the logs continue to accumulate these alerts.* Currently pursuing: PhD: Information Security and Information Assurance
* Certifications: CISSP, CEH, CHFI, CCNA:Sec, CCNA:R&S, CWNA, ITILv3, VCA-DCV, LPIC-1, A+, Network+, Security+, Linux+, Project+, and many more...
* Degrees: MSc: Cybersecurity and Information Assurance; BSc: Information Technology - Security; AAS: IT Network Systems Administration -
SephStorm
Member Posts: 1,731 ■■■■■■■□□□
Are you using a third party log reader? It doesnt look like a standard log: Public Knowledge Base Product - Read Fireware log messages [WSM/Fireware 9.1] -
control
Member Posts: 309
These are logs taking straight from the Watchguard Systems Manager - which manages the devices. So whatever Port 7 / 9 are seems to be something related to the Watchguard.
If you look at the log it suggests to me suggest the IP/MAC is being seen on different port (7 / 9) as you can see from the duplicate entries for the IPS, which in turn possibly makes the watchguard some sort of spoofing is going on, but again just guessing. I never deal with Watchguards and only this one site has one...
Causing a real problem as well. I know this is the cause, just trying to find a solution....*sigh* -
it_consultant
Member Posts: 1,903
It seems like the most obvious course of action is to figure out what nodes on the network are associated with those IPs and then see what are running on those PCs. I have a lot of experience on WG's, my last consulting gig used them a lot. The only time I have seen this error was when I had a site to site link set up with a flat phone network and a hierarchical data network and we used a WG to route the traffic at the remote site. The return traffic appeared to be from a network that existed on both the public and private interface and the WG shut down the the traffic accordingly.