Results 1 to 1 of 1
  1. #1
    Join Date
    Nov 2016
    Phoenix, AZ

    Default email warning interpretation on suspicious activity


    I got an email warning from UT (NGFW) about a port 22 connection. See below.

    Is this telling me that the ssh connection from to was successful? The details have "bypassed = true" which is puzzling. What triggers a packet getting bypassed?

    If so, that is puzzling as I have a block on port 22 access other than a handful of authorized users.

    The rule I defined is to block any traffic to destination port 22. Is that all I need. To make sure it is handled sooner than the other rules, I just moved it near the top of the list.



    Event: SessionEvent

    Event Time: 2021-03-13 08:19:24.793.

    Event Summary:
    Session [TCP] ->

    Event Details:
    bypassed = true
    c client addr =
    c client port = 28959
    c server addr =
    c server port = 22
    client intf = 1
    entitled = true
    hostname =
    local addr =
    policy id = 0
    protocol = 6
    protocol name = TCP
    remote addr =
    s client addr =
    s client port = 28959
    s server addr =
    s server port = 22
    server intf = 1
    session id = 105847512732690
    time stamp = 2021-03-13 08:19:24.793

    This is an automated message sent because this event matched Alerts Rule "Suspicious Activity: Client created many SSH sessions".
    Last edited by bconner; 03-13-2021 at 01:10 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

SEO by vBSEO 3.6.0 PL2