Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
722
Views
0
Helpful
1
Replies

Tcp ports during update

LUCA CARMINATI
Level 1
Level 1

‎10-10-2011 02:30 AM

Hi guys,

which tcp ports normally Ironport WSA uses to communicate for update or during normal operations ?

Customer where we are installing 2 S160 ,send me this alert log from existing Checkpoint IPS , where src is ironport (10.0.1.5) dst is ip address (10.0.0.97) of Windows AD, DNS and NTP server .

8Oct2011  7:36:47 drop   80.207.58.46 >eth2 mail product: SmartDefense; TCP flags: FIN; Attack Info: TCP flags do not make sense; attack: Bad packet; src: 10.0.1.5; s_port: 7745; dst: 10.0.0.97; service: ldap; proto: tcp;

This log is generated every 15 min, so i believe that is something related to update, but service type ldap give me some doubt.

May be wsa check AD every 15 min ?

Thanks

Best regards

Luca

Labels:
0 Helpful
1 Reply 1

Ken Stieers
VIP
VIP

‎10-10-2011 08:57 AM

Luca,

I'm pretty sure that's a "health" check on the LDAP connection to your domain controller.  If that fails, the WSA could alert you that it can't get to the domain controller to auth users... 

If your box is joined to the domain, it could be related to the the secure channel too..

Ken

0 Helpful
Customers Also Viewed These Support Documents