Gateway generating unwanted traffic to a destination server

Mastering Compliance
Unveiling the power of Compliance Blade

WATCH NOW

SASE Masters:
Deploying Harmony SASE for a 6,000-Strong Workforce
in a Single Weekend

May the 4th (+4)
Navigating Paradigm Shifts in Cyber

CPX 2024 Content
is Here!

Get What You Need

Harmony SaaS
The most advanced prevention
for SaaS-based threats

LEARN MORE

CheckMates Go:
CPX 2024 Recap

LISTEN NOW

Create a Post

Hello,

I have the following query:

Scenario:
Gateway IP: X.Y.Z.Q
Server IP: A.B.C.D (on cloud)
The server is accessed by internal users on port 8080.
The gateway is also generating unwanted traffic to the destination on port 8080 which is abnormal behavior.

Description:
- HTTPS inspection is enabled on firewall, created a bypass rule with destination but still the traffic is seen.- Traffic is allowed to the destination via implied rules (accept_outgoing rule)
- Traffic capture indicates only oO on external interface.
- Lot of connections can be seen initiated with wstlsd

tcp 0 91 X.Y.Z.Q:60158 A.B.C.D:8080 ESTABLISHED 12214/wstlsd
tcp 0 1 X.Y.Z.Q:59375 A.B.C.D:8080 SYN_SENT 20101/wstlsd
tcp 0 91 X.Y.Z.Q:60332 A.B.C.D:8080 ESTABLISHED 12214/wstlsd
tcp 0 1 X.Y.Z.Q:50854 A.B.C.D:8080 SYN_SENT 20101/wstlsd
tcp 0 91 X.Y.Z.Q:38726 A.B.C.D:8080 ESTABLISHED 12214/wstlsd
tcp 0 91 X.Y.Z.Q:53628 A.B.C.D:8080 ESTABLISHED 12214/wstlsd
tcp 0 91 X.Y.Z.Q:43252 A.B.C.D:8080 ESTABLISHED 12214/wstlsd
tcp 0 91 X.Y.Z.Q:47262 A.B.C.D:8080 ESTABLISHED 12214/wstlsd
tcp 0 91 X.Y.Z.Q:62171 A.B.C.D:8080 ESTABLISHED 12214/wstlsd

- Collected WSTLSD debug and observed the following:

[wstlsd] Trying to connect to Host:
[wstlsd] IP Address network order = A.B.C.D
[wstlsd] Port Number network order = 36895

[wstlsd] T_event_do_set: setting brand new socket/type: 199/0
[wstlsd] T_event_do_set: setting brand new socket/type: 199/2
[wstlsd] T_event_do_set: setting brand new socket/type: 199/1
[wstlsd] fwasync_make_connection_e_bindopt_ex: A.B.C.D/8080: dowait is -1 sock is 199
[wstlsd] T_event_do_del: marking for deletion socket/type: 199/1
[wstlsd] fwasync_connect_ex done. user_mode_connection: 0x1707fae0
[wstlsd] ckptls_store_neg_info: storing neg_info 0x15cde818 opaque_id 77625
[wstlsd] cptls_handle_msg: done. msg=HS_CHALLENGE_PARTY
[wstlsd] cptlsd_trap_handler_multik: trap processing took 0.000104 seconds.
[wstlsd] cptlsd_trap_handler_multik: called dlen 96, type 2
[wstlsd] CptlUrlf::HandleTrap: _len 96 _instance =1
[wstlsd] CptlUrlf::HandleTrap: not urlf ssl trap.
[wstlsd] cptls_urlf_trap_cb: it is not ssl urlf trap.
[wstlsd] cptlsd_trap_handler_multik: called from kernel instance 1.
[wstlsd] cptls_handle_msg: called. msg=HS_CHALLENGE_PARTY
[wstlsd] cptls_handle_msg: kernel_instance: 1

Not sure why this traffic is generated, it would be great if someone has a justification for the same.

Thanks and Regards,
Arun Kumar S
Network Security Engineer
QOS Technology Pvt Ltd, Bengaluru