This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Renjith_M_P
Contributor
‎2020-02-02 10:24 PM
Jump to solution

unknown traffic from VPN blade

Hi All,

could you please explain why VPN is initiating traffic to an unknown destination.(SC attached)

Preview file
57 KB
0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2020-02-09 07:05 AM
In response to Renjith_M_P
Jump to solution

Your firewall is properly blocking it, there is nothing to be concerned about.  The attacker isn't going to get anywhere.

You can see the owner of the netblock sending these IKE requests here:

https://wq.apnic.net/static/search.html?query=164.52.36.247

I suppose you could try contacting the abuse email for that netblock, but in my experience with the specific country involved here you are just wasting your time.  It could also just be some kind of misconfiguration on their end but I highly doubt it.

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices
Self-Guided Video Series Coming Soon

View solution in original post

4 Replies
G_W_Albrecht
Legend Legend
Legend
‎2020-02-03 12:19 AM
Jump to solution

This is a rather nice wish - but only you do know what is configured here ! The peer GW must be included in a VPN Community, otherwise, no key install will be sent. At least, this VPN is not coming up, so if you do not want it, you could even leave it this way 8)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2020-02-03 05:23 AM
Jump to solution

Based on the screenshot, your Check Point firewall is not the one initiating.  Your firewall is sending a response to 164.52.x.x who attempted to start an IKE Phase 1 negotiation with you; the full content of the sent notification is not shown in your screenshot but it is probably "Invalid ID".  This response is sent by a Check Point firewall when an unknown peer/IP address attempts to start a VPN negotiation; in a site to site setup VPN peer IP addresses must normally be known ahead of time.

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices
Self-Guided Video Series Coming Soon
Renjith_M_P
Contributor
‎2020-02-04 05:37 AM
In response to Timothy_Hall
Jump to solution

Hi @Timothy_Hall ,

yes, that is my doubt. a VPN traffic is initiated to check point from an unknown IP which is not configured in my device, traffic got rejected by the device but after that a response is sending as key install. details are in attached screen shot. what kind of behavior is this.

we are getting lot of request from this unknown IP to some of the internal IP's. service is IKE ( Screen shot attached). we don't have any DAIP for this setup. as a precautionary  measure i have created an object and blocked this source IP in the policy.

is it a kind of attack. if yes how do i identity which device is originating this traffic and any helping hand from inside object.

Thank you for response.

Preview file
920 KB
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2020-02-09 07:05 AM
In response to Renjith_M_P
Jump to solution

Your firewall is properly blocking it, there is nothing to be concerned about.  The attacker isn't going to get anywhere.

You can see the owner of the netblock sending these IKE requests here:

https://wq.apnic.net/static/search.html?query=164.52.36.247

I suppose you could try contacting the abuse email for that netblock, but in my experience with the specific country involved here you are just wasting your time.  It could also just be some kind of misconfiguration on their end but I highly doubt it.

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices
Self-Guided Video Series Coming Soon

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Wed 18 Jun 2025 @ 10:00 AM (CEST)

    Hands-on WAF Immersion Workshop - Zaventem
    In-Person

    Tue 24 Jun 2025 @ 09:00 AM (CEST)

    Workshop Sécurité du Cloud & Hybrid Mesh
    In-Person

    Tue 07 Oct 2025 @ 09:30 AM (CEST)

    CheckMates Live Denmark!
    CheckMates Events