locked
How to identifiy systems beyond Firewall ? RRS feed

  • Question

  • Hi,

    ATA detected DNS Reconnaissance from our Cisco Firewall which is a gateway for a number of servers (including Windows ones).

    How can I possibly identify faulty system NATed by the Firewall?

    Thanks in advance for any help


    /Patrice

    Tuesday, January 24, 2017 1:02 PM

All replies

  • Hello Patrice,

     

    Since the servers sit behind the firewall, and the source IP has been NATed in the packets. It's hard for ATA to detect the real source.

     

    However, you can monitor the traffic flowing through the firewall by utilizing port mirroring to monitoring tools, such as Wireshark or Network Monitor. With these tools, you can filter out the DNS traffic, and find out the real source.

     

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 25, 2017 2:41 AM
  • Hello Andy,

    thanks for your answer. Research on the firewall helped to identify trusted domain legitimate DCs going through.

    I have then have dismissed alert.

    Thanks & Regards


    /Patrice

    Wednesday, January 25, 2017 9:48 AM
  • Hello Patrice,

    You are welcome.

    Glad to hear that you find the solution.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 25, 2017 10:03 AM