- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Your firewall is properly blocking it, there is nothing to be concerned about. The attacker isn't going to get anywhere.
You can see the owner of the netblock sending these IKE requests here:
https://wq.apnic.net/static/search.html?query=164.52.36.247
I suppose you could try contacting the abuse email for that netblock, but in my experience with the specific country involved here you are just wasting your time. It could also just be some kind of misconfiguration on their end but I highly doubt it.
This is a rather nice wish - but only you do know what is configured here ! The peer GW must be included in a VPN Community, otherwise, no key install will be sent. At least, this VPN is not coming up, so if you do not want it, you could even leave it this way 😎
Based on the screenshot, your Check Point firewall is not the one initiating. Your firewall is sending a response to 164.52.x.x who attempted to start an IKE Phase 1 negotiation with you; the full content of the sent notification is not shown in your screenshot but it is probably "Invalid ID". This response is sent by a Check Point firewall when an unknown peer/IP address attempts to start a VPN negotiation; in a site to site setup VPN peer IP addresses must normally be known ahead of time.
Hi @Timothy_Hall ,
yes, that is my doubt. a VPN traffic is initiated to check point from an unknown IP which is not configured in my device, traffic got rejected by the device but after that a response is sending as key install. details are in attached screen shot. what kind of behavior is this.
we are getting lot of request from this unknown IP to some of the internal IP's. service is IKE ( Screen shot attached). we don't have any DAIP for this setup. as a precautionary measure i have created an object and blocked this source IP in the policy.
is it a kind of attack. if yes how do i identity which device is originating this traffic and any helping hand from inside object.
Thank you for response.
Your firewall is properly blocking it, there is nothing to be concerned about. The attacker isn't going to get anywhere.
You can see the owner of the netblock sending these IKE requests here:
https://wq.apnic.net/static/search.html?query=164.52.36.247
I suppose you could try contacting the abuse email for that netblock, but in my experience with the specific country involved here you are just wasting your time. It could also just be some kind of misconfiguration on their end but I highly doubt it.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY