SAM block

Daniel_Kavan · ‎2022-07-11

This may be a pre Infinity SOC question, but I didn't see a category for smart event.

RFE, it would be nice if a SAM block told you somewhere what event in smart event triggered it. So, you could make an exception there instead of a global exclusion. That being said why is my gateway using port 80 (http) to contact Akamai technologies all the time? What smart event protection could be the culprit here?

The source is actually my gateway itself, R81.10 JHF55.

Id: ac160028-44a6-3813-62cc-1f3ae3b30004
Marker: @A@@B@1657541940@C@1486467
Log Server Origin:
Time: 2022-07-11T13:01:46Z
Interface Direction: outbound
Interface Name: eth17
Id Generated By Indexer:false
First: true
Sequencenum: 83
Source:
Source Port: 48508
Destination: 104.71.130.75
Destination Port: 80
IP Protocol: 6
Message Information: SAM rule
Action: Reject
Policy Name: policy
Policy Management: 1
Db Tag: {12D898E0-1EC0-BB45-9928-AB3A4B9A15B3}
Policy Date: 2022-07-06T20:09:36Z
Blade: Firewall
Origin:
Service: TCP/80
Product Family: Access
Logid: 1
Interface: eth17
Type: Connection, Alert

PhoneBoy · ‎2022-07-11

The Management space with a SmartEvent label would be the right classification.

I suspect these reaches out to port 80 from the gateway are the gateway checking in with ThreatCloud and the like.
Yes, we do use Akamai as a CDN for these services.
More details in sk83520.

Are you a member of CheckMates?

SAM block