https://community.checkpoint.com/t5/Firewall-and-Security-Management/Detected-Sweep-Scan-originating-from-source-internal-server/m-p/255864#M50105 <P>Thank you for the reply,</P><P>Exceptions are configured in place long time ago. This issue was once-off, unexpected incident.&nbsp;<BR />It's not clear how to reproduce this incident since we don't have any possible destination or what tool or process initiated that.</P><P>Do you have any suggestions?</P> Mon, 25 Aug 2025 08:25:38 GMT RuneSeeker 2025-08-25T08:25:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Detected-Sweep-Scan-originating-from-source-internal-server/m-p/255712#M50050 <P>Hi everyone,</P><P>We are currently running R81.20 Hotfix Take 105.&nbsp;</P><P>The IPS protection flagged a Sweep Scan originating from an internal server, with the destination showing as "null" and the service listed as HTTP_proxy (TCP/8080).</P><P>After 9 seconds, the system automatically applied a SAM rule to drop the connection. This action inadvertently disrupted legitimate communication with another internal server.</P><P>Once we identified the cause, we removed the affected server from the SAM rule, and since then the issue has not reappeared.</P><P>Could you help us understand what might be triggering this behavior?</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 22 Aug 2025 07:16:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Detected-Sweep-Scan-originating-from-source-internal-server/m-p/255712#M50050 RuneSeeker 2025-08-22T07:16:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Detected-Sweep-Scan-originating-from-source-internal-server/m-p/255770#M50063 <P>We'd likely need to set up debug and reproduce the issue to understand the root cause of it.<BR />This will require TAC assistance.</P> <P>However, adding an exception is probably the best way to ensure this issue doesn't happen again.</P> Fri, 22 Aug 2025 22:10:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Detected-Sweep-Scan-originating-from-source-internal-server/m-p/255770#M50063 PhoneBoy 2025-08-22T22:10:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Detected-Sweep-Scan-originating-from-source-internal-server/m-p/255864#M50105 <P>Thank you for the reply,</P><P>Exceptions are configured in place long time ago. This issue was once-off, unexpected incident.&nbsp;<BR />It's not clear how to reproduce this incident since we don't have any possible destination or what tool or process initiated that.</P><P>Do you have any suggestions?</P> Mon, 25 Aug 2025 08:25:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Detected-Sweep-Scan-originating-from-source-internal-server/m-p/255864#M50105 RuneSeeker 2025-08-25T08:25:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Detected-Sweep-Scan-originating-from-source-internal-server/m-p/255924#M50122 <P>I don't believe enough information is logged to understand what happened in this case.<BR />Thus, we'd likely need to reproduce it in order to properly debug it.</P> Mon, 25 Aug 2025 18:10:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Detected-Sweep-Scan-originating-from-source-internal-server/m-p/255924#M50122 PhoneBoy 2025-08-25T18:10:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Detected-Sweep-Scan-originating-from-source-internal-server/m-p/255970#M50134 <P>Thanks for the assistance. We will update as more information becomes available.</P> Tue, 26 Aug 2025 09:41:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Detected-Sweep-Scan-originating-from-source-internal-server/m-p/255970#M50134 RuneSeeker 2025-08-26T09:41:42Z