ā06-01-2022 06:55 AM
We are analyzing the logs from all of our devices. Recently, a question came up on the %FTD-6-302013 message. It appears to be only happening on outbound connections from the inside network to the outside. We never see messages like that for connections inbound into the inside network. There really isn't much of anything allowed to make new connections from the outside into our network. Does this message not get generated for blocked connections?
ā06-01-2022 07:28 AM
until we see you ACP rule we are not sure how that error related to
check the more explanation of Logs
ā06-01-2022 08:05 AM
Any particular rule that you need to see?
ā06-01-2022 12:08 PM
Blocked connections are only connection attempts. If the tcp SYN packet is blocked then no %FTD-6-302013 message is generated.
ā06-06-2022 11:50 AM
Thanks for the responses. I think the question I am being asked and I'm trying to research is this:
It looks like for an outbound connection the syslog message is written to the log as a connection inbound into the inside interface. Is there any way to get it to be logged as an outbound connection through the outside interface? I think the log analyzer may be getting confused by what is an outbound connection from our network, and there is an 'inbound' keyword in the message.
ā03-22-2023 12:27 PM
We are seeing the same thing. Messages that are clearly outbound are showing as `inbound`, and some inbound messages are showing as `outbound`. Our SIEM is throwing false-positives for this, as the ML jobs are alerting inbound port scans (that are being blocked) as outgoing connections to known-malicious IP addresses.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide