Weird one for you all... FW-1 on Solaris, 1
Internet connection, 3 DMZs (Web, WAN, and DNS... mostly just because we
can...)
We're seeing 1800 or so drops per day on port 1996
travelling from one DMZ interface addresses destined for another interface
address. It's pretty consistent traffic - every half-minute or so.
The drop shows the packet hitting Rule 0 and the reason is "local interface
address spoofing".
Port 1996 is a Cisco SRB port, but we have no Cisco
gear in the DMZs in question. Furthermore, I disconnected everything from
the source DMZ and **STILL SHE WALKS...**
Check Point says it's got to be the Solaris box,
because "nothing Check Point does occurs on 1996". Can't imagine what the
heck it is.
Ugh. Has ANYBODY out there seen this
before?
Many Thanks...
|