How to find the IP address of a unknown user who is trying to manage the Screen OS device

Problem

Assume that the x.x.x.x host, who is not allowed to do so, tries to access the firewall via WebUI and telnet and the administrator wants to log this management traffic.

Cause:

The customer wants to know which unknown user (intruder) is trying to gain management access to firewall; even though management options are not enabled on the interface.

A Manager-IP/Permitted IP is configured for a particular IP address/user and you would like to check which other user/IP is trying to manage the device.

Solution:

To log such traffic, self log has to be enabled:

set firewall log-self

Case-1:

The SSL/HTTPS option is disabled on the MGT interface:

get int mgt

Interface mgt:
description mgt
number 0, if_info 0, if_index 0
link up, phy-link up/full-duplex, admin status up
status change:1, last change:07/30/2012 08:38:52
vsys Root, zone MGT, vr trust-vr, vsd 0
*ip 172.27.201.190/24 mac 001b.c06f.5a80
pmtu-v4 disabled
ping enabled, telnet enabled, SSH disabled, SNMP enabled
web enabled, ident-reset disabled, SSL disabled
DNS Proxy disabled, webauth disabled, g-arp enabled, webauth-ip 0.0.0.0
NSGP disabled NHRP disabled

With the get log self command, you can identify which IP is trying to access the device via HTTPS on the MGT interface. In this case, you can see that the 172.27.199.46 Source-IP was trying to access the device via HTTPS on the MGT Interface:

nsisg2000(M)-> get log self
============================================================================================================
Date Time Duration Source IP Port Destination IP Port Service SessionID In Interface Reason Protocol
============================================================================================================
2012-08-01 08:00:36 0:00:00 172.27.199.46 1828 172.27.201.190 443 HTTPS 0 mgt Traffic Denied 6

Case-2:

A permitted IP address is configured on the device:

set admin manager-ip 172.27.199.46

In this case, you can see that only 172.27.199.46 is allowed to manage the device; but 172.27.199.95 is trying to access the device on the MGT interface via Telnet.

nsisg2000(M)-> get log self
===============================================================================================================
Date Time Duration Source IP Port Destination IP Port Service SessionID In Interface Reason Protocol
================================================================================================================
2012-08-01 08:01:44 0:00:00 172.27.199.95 4305 172.27.201.190 23 TELNET 0 mgt Traffic Denied 6

Note: Self Log will log all packets that terminate at the security device; but sorting and filtering options are also available.

Sponsored Link

Leave a comment

Your email address will not be published. Required fields are marked *