02-02-2018 10:34 AM - edited 02-21-2020 07:16 AM
Hi,
I have a very odd problem, since I established a DNS policy in my FMC to prevent malicious DNS responses, I detected that my ESA is making querys to a malicious site. Those are being block by the ASA, but still...... why the ESA is making those malicious connections. May someone explain this scenario?
I'm Uploading the SI analisys and the IoC marked on the ESA.
I'll appriciate some feed back.
Thanks
02-03-2018 07:50 AM
Is your ESA in the path for outbound email?
02-03-2018 10:28 AM
Not at all, we only have the inbound license and our mail server is handeling the outgoing mail.
02-03-2018 11:29 PM
That's really odd. According to the Admin Guide section on necessary communications paths:
...none of that should be happening. I would try looking at a capture of some of the packets and verifying they are coming from the ESA and not from something else spoofing/ duplicating its IP address. If it is indeed coming from the ESA then I would open a TAC case straight away.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide