"Port Scan Attack!!!" log entry for the Symantec Firewall/VPN Appliance explained
|Article:TECH80213|||||Created: 2002-01-26|||||Updated: 2002-01-30|||||Article URL http://www.symantec.com/docs/TECH80213|
You are examining the firewall log file and see several entries that say, "Port Scan Attack!!!" You want more information on these entries.
By default, the Symantec Firewall/VPN Appliances (all models) prevent all access initiated from outside the protected network. Any outbound requests originating inside the protected network are allowed through the firewall, and inbound responses to these requests are passed back to the requestor. In this default state, any traffic that is directed at the external (public, or Internet-facing) interface of the SFVPN, is blocked.
If you configure the Virtual Server or Custom Virtual Server functions of the firewall, inbound traffic is allowed through on the ports you specify, and traffic is sent to the computers you specify.
In either scenario, the "Port Scan attack" log entry appears any time that there is inbound traffic to ports not specifically allowed to the external interface of the firewall. These notifications are informative and should not cause concern.
Article URL http://www.symantec.com/docs/TECH80213