Solved: Thanks KarstenI'll put that

mickyq · ‎09-02-2015

I have been informed by my ISP that a botnet has been detected and the ip address is the Global PAT address. how do i trace the source ip?

Karsten Iwen · ‎09-02-2015

Probably it's not possible any more. What do you need:

An exact timestamp from the event and if possible the destination-address/port.
Your firewall-log showing which PC was communicating at that moment with the destination.
If you are using DHCP, you also need a DHCP-log to see which internal system was using that IP at that time.

Perhaps it's time to migrate to ASA with FirePOWER.

Karsten Iwen · ‎09-02-2015

Probably it's not possible any more. What do you need:

An exact timestamp from the event and if possible the destination-address/port.
Your firewall-log showing which PC was communicating at that moment with the destination.
If you are using DHCP, you also need a DHCP-log to see which internal system was using that IP at that time.

Perhaps it's time to migrate to ASA with FirePOWER.

mickyq · ‎09-02-2015

Thanks Karsten

I'll put that on my Christmas wish list :-)

tracing malware