We have a h/a firewall setup with dual poweredge 1750 boxes running secureplatform & checkpoint fw1 version r55. On one of our two firewalls, looking in the smarttracker log, there is a constant flow of traffic from object "firewall2" to either 179.anything.com, or 174.anything.com, or a few other prefixes.anything.com. The service listed is always 8989.
We're comfortable that it's not an internal workstation spoofing the firewall address. I can certainly just add those items to the block list, but I'm wondering how to uncover the root cause of the issue. If it was a Windows platform, I'd say trojan. But is there an analog for Secureplatform or fw1 that could do this?
Our network/security company is stumped by this one. Anyone here have any thoughts? Thanks.
We're comfortable that it's not an internal workstation spoofing the firewall address. I can certainly just add those items to the block list, but I'm wondering how to uncover the root cause of the issue. If it was a Windows platform, I'd say trojan. But is there an analog for Secureplatform or fw1 that could do this?
Our network/security company is stumped by this one. Anyone here have any thoughts? Thanks.