So I’m looking in my ISA log files because for the last couple of days my Scorpion Software Firewall dashboard has indicated I’ve been getting ntp attacks from two IP addresses: and and it’s now where I have some time on my hands to figure out what’s going on…. they aren’t getting out …but what are they there?  My internal IP address on this network is based on the old SBS 4.x numbering of 10.0.0.x, my home IP range is 192.168.16.x… the is my external nic attached to the router…so WHY do I have two IP addresses attempting to get a time sync and being denied?  When I ping them they are unavailable, and an arp -a brings back nothing.  Well in chatting with Amy she indicated that the logging I was seeing “0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED” was not hitting a “rule” but rather at the kernel mode.  It was labelling them as spoofed as it didn’t see these addresses in my domain.

No kidding…. neither did I… so what are they?  So Amy Googled and found that one might be a Vmware network connection and the other Cisco…. Vmware?  Hang on .. I have vmware on this workstation but it’s not loaded up… and at the time I had the two nics enabled (I’ve since disabled them)

And sure enough…that was the IP addresses that the nics were assigned in the interface and ISA was just doing was it was supposed to be doing on my internal network and saying “yo, I don’t recognize these, they aren’t on my approved internal IP addresses so I’m blocking them”.  Okay so not exactly like that, but you get my meaning.

Sure ’nuff, disabled the nics as I’m not running a vmware on this machine at this time and that was indeed it. Once again, the firewall dashboard stuck something in my face that I don’t think I would have noticed otherwise.

And by the way…. to Amy … Ditto!  THANK YOU! for all that you do for the SBS and ISA Community!


2 Responses to So I’m looking in my ISA log files…

  1. chris rue says:

    amy b. = the shiznit, fo sho!

  2. Jim Begley says:

    Network security / monitoring / management tools have not kept pace with virtualization products. I have had similar “false positives” on my network and have spoken to a number of vendors who just tell me they are working on it. We had an asset management tool telling us a laptop was “missing”, it was a VirtualPC that was not running after being picked up in a scan. We had firewalls reporting spoofed IP’s on VMWare and a monitoring tool that kept automatically monitoring virtual servers in a test lab. The good news is it should be a relatively easy fix to have tools 1)identify virtual resources, (they have unique BIOS ID’s) and 2)tie them back to the host system and running state. Once we do that, we can build conditional rules on monitoring and management tools.

    Great post, as always 🙂