https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-appliance-shows-Infected-hosts-with-public-IPs/m-p/7901#M141 <HTML><HEAD></HEAD><BODY><P>This is happening for a while now on my home 600 appliance:</P><P><IMG alt="external IPs shown as &quot;Infected Hosts&quot;" class="image-1 jive-image j-img-original" src="/legacyfs/online/checkpoint/60481_2017-10-25 19_09_21-drawbridge - Infected Hosts - Check Point 600 Appliance.png" style="width: 620px; height: 75px;" /></P><P>View Host Logs does not yield anything and since these events happening about once a month, running traffic capture to get better visibility into it is not practical.</P><P>What is the reason for this indicator being present if there is no possibility of path-through traffic hitting my gateway from inside?</P></BODY></HTML> Wed, 25 Oct 2017 23:17:20 GMT Vladimir 2017-10-25T23:17:20Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-appliance-shows-Infected-hosts-with-public-IPs/m-p/7901#M141 <HTML><HEAD></HEAD><BODY><P>This is happening for a while now on my home 600 appliance:</P><P><IMG alt="external IPs shown as &quot;Infected Hosts&quot;" class="image-1 jive-image j-img-original" src="/legacyfs/online/checkpoint/60481_2017-10-25 19_09_21-drawbridge - Infected Hosts - Check Point 600 Appliance.png" style="width: 620px; height: 75px;" /></P><P>View Host Logs does not yield anything and since these events happening about once a month, running traffic capture to get better visibility into it is not practical.</P><P>What is the reason for this indicator being present if there is no possibility of path-through traffic hitting my gateway from inside?</P></BODY></HTML> Wed, 25 Oct 2017 23:17:20 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-appliance-shows-Infected-hosts-with-public-IPs/m-p/7901#M141 Vladimir 2017-10-25T23:17:20Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-appliance-shows-Infected-hosts-with-public-IPs/m-p/7902#M142 <HTML><HEAD></HEAD><BODY><P>It could very well be a false positive of some sort, or&nbsp;that IP address probing.</P><P>I did move this to the <A href="https://community.checkpoint.com/space/2036">SMB and SMP</A>‌ space.</P></BODY></HTML> Fri, 27 Oct 2017 20:10:02 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-appliance-shows-Infected-hosts-with-public-IPs/m-p/7902#M142 PhoneBoy 2017-10-27T20:10:02Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-appliance-shows-Infected-hosts-with-public-IPs/m-p/7903#M143 <HTML><HEAD></HEAD><BODY><P>If this was a probing attempt, I'd expect to see some drops in the log, but there is nothing at all.</P><P></P><P>I was thinking that maybe cell phones on WiFi may ID with the IP received from the carrier, but the protection name points to Windows hosts.</P></BODY></HTML> Fri, 27 Oct 2017 20:26:48 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-appliance-shows-Infected-hosts-with-public-IPs/m-p/7903#M143 Vladimir 2017-10-27T20:26:48Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-appliance-shows-Infected-hosts-with-public-IPs/m-p/7904#M144 <HTML><HEAD></HEAD><BODY><P>The fact you're not seeing that is somewhat troubling.</P></BODY></HTML> Fri, 27 Oct 2017 20:33:24 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-appliance-shows-Infected-hosts-with-public-IPs/m-p/7904#M144 PhoneBoy 2017-10-27T20:33:24Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-appliance-shows-Infected-hosts-with-public-IPs/m-p/7905#M145 <HTML><HEAD></HEAD><BODY><P>I've re-flushed the new firmware yesterday and will keep an eye for further occurrences. Should I see it again, I may have to run continuous filtered mirroring from the switches on all interfaces to get the raw packets matching that source network.</P></BODY></HTML> Fri, 27 Oct 2017 20:47:45 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-appliance-shows-Infected-hosts-with-public-IPs/m-p/7905#M145 Vladimir 2017-10-27T20:47:45Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-appliance-shows-Infected-hosts-with-public-IPs/m-p/7906#M146 <HTML><HEAD></HEAD><BODY><P><SPAN>Hi. <BR /><BR />The infected host is triggered with the Anti-Bot, which can be detected from LAN(inbound) to WAN (outgoing), and also vice versa. <BR /><BR />If the public&nbsp;IP trying to communicate to your gateway external IP might have a malicious network activity pattern, or bad reputation (such as C&amp;C), it will come up in the infected hosts list.<BR /></SPAN></P></BODY></HTML> Tue, 31 Oct 2017 03:59:08 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-appliance-shows-Infected-hosts-with-public-IPs/m-p/7906#M146 Tom_Hinoue 2017-10-31T03:59:08Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-appliance-shows-Infected-hosts-with-public-IPs/m-p/7907#M147 <HTML><HEAD></HEAD><BODY><P>There is no reason logging the external hosts as "Infected". Consider the scenario when your network is under attack from the botnet. In this case you may have thousands hosts listed as such. It is not the business of this device to police the Internet, but to provide you with correct information about your environment.</P><P></P><P>But regardless of how these two hosts ended-up listed as such, I would expect to see the corresponding log entries and there are none.</P></BODY></HTML> Tue, 31 Oct 2017 13:11:49 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-appliance-shows-Infected-hosts-with-public-IPs/m-p/7907#M147 Vladimir 2017-10-31T13:11:49Z