Hi to all,
I' ve found such strange tracks while analyzing my CP 4.1 SP3.0 FW logs.
x.x.x.x - Our Firewall' s valid IP address for NAT. Outer interface ethernet IP.
y.y.y.y - An outsider's Internet IP
w.w.w.w - The valid IP of our Web Server (located in DMZ)
Origin type Action Service Source Destin proto rule S_port Xlate Source Xlate Dst Xlate SPort Xlate DestPort Info
"x.x.x.x" "log" "accept" "1041" "x.x.x.x" "y.y.y.y" "tcp" "0" "1026" "" "" "" "" "" "w.w.w.w" "y.y.y.y" "http" "1041" " len 40"
I don' t feel myself completely all-right because,
1. it's accepted via rule 0, (In the FW policy - properties, I couldn' t find anything relevant...)
2. The source is FW' s IP, Destination is the outsider' s IP, Translated Source is Web Server's IP (howcome? There' s no such strange NAT definition in the FW rules...)
3. In some other similar logs, the Service, S_port and Xlate DestPort varies, but everytime, Xlate SPort is the same service port (http) (O.K., these transactions are related with Web Server's responses, thus http might be thought as normal. But what about the other port and services, are they selected by randomly by Firewall?)
Is there anything unusual or suspicious? Especially, if the case is some packets being transferred to the outside world from our Web Server, I' m a bit more sensitive...
