Results 1 to 8 of 8
  1. #1
    Untangler
    Join Date
    Feb 2016
    Posts
    88

    Default Understanding the reports?

    Hi

    I am trying to understand this app (And all reports in general)

    It says over time its blocked 24k sessions

    Thats of interest to me, however I cannot find a lot in reports, everything says 'no data!' except for at the bottom of reports where I find blocked web and non web events

    The cause is in non web events from one of my Switch IP addresses (Not a device, the actual switch address) to: 185.21.216.198, which is apparently: RIPE Network Coordination Centre

    This appear to be legit but I don't know for sure.

    So is this a false positive or what ever?

    What is the purpose of all those nice graphs and stuff, they dont appear to do anything?

  2. #2
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,605

    Default

    show us a diagram of your network layout.

    W.A.G.: could you have the internal and external interfaces swapped?
    If you think I got Grumpy

  3. #3
    Untangler
    Join Date
    Feb 2016
    Posts
    88

    Default

    HI there I dont know what wag means?

    So I have a modem from the ISP connected to my UTM.

    Connected to the UTM is the main unifi switch
    Connected to this is the 12 port switch as mentioned.

    I have a number of switches its only this one being reported, there are thousands of entries to that website through port 49294

    I have done searches on google nothing meaningful comes up. It coul dbe something passing through the switch but I dont know why it would be reported like that.

    I have 43 things connected to the router on ethernet and WIFI via the switches and unifi APs.

  4. #4
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,605

    Default

    W.A.G. it is a form of a wild guess.
    Are you sure the external interface of NGFW is connected to the ISP modem?

    give us a screen shot of those sessions.

    Also, what version of NGFW are you running?

  5. #5
    Untangler
    Join Date
    Feb 2016
    Posts
    88

    Default

    Hi Its version 5. I only actually have like a day of the trial before it disables.

    Yes the WAN is connected to my modem/ISP.

    Screenshot 2020-04-20 at 18.31.25.png

  6. #6
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,738

    Default

    We have not had version 5 for 11 years. Do you mean v15.0?
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,605

    Default

    Quote Originally Posted by garethsnaim View Post
    I only actually have like a day of the trial before it disables.
    At what level do you have Threat Prevention set to?
    I would say that most of the time, it is not going to be able to be used to block a whole lot in a residential setting.

    it would help if you showed us the entire screen, with the URL, so we can tell exactly which report you are on.
    tp example.png

    This could be considered a false positive, yes. The RIPE attribution is not very specific at all. The traffic seems to be that your switch is desperately trying to determine the time from the Internet, using that IP address. It might be good to find a local tier-2 time server near you, and try using that.

    better yet, use the server pool:
    http://support.ntp.org/bin/view/Servers/NTPPoolServers
    This has to be configured on the switch, itself.
    Last edited by Jim.Alles; 04-20-2020 at 12:35 PM.

  8. #8
    Untangler
    Join Date
    Feb 2016
    Posts
    88

    Default

    Yes sorry 15!

    Thanks Jim,

    Apparently my image is like 5 bytes too big so the report I am in is threat provention - non web blocked events

    The entry I showed before is the only one and there are thousands of them. Threat prevention thinks this IP is high risk, but I can only assume my main switch is doing the same. I left all serttings in this app as default.

    Ah well, I dont think its world ending and the threat prevention app expires tomorrow as I am a home user. Thanks for your help.
    Jim.Alles likes this.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2