• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

identify remote server

D

dawks

Diamond Member
Hi everyone, I am helping an organization with some things and I was looking at their checkpoint firewall logs. I see a large number of their PC's are regularly trying to connect to a few IPs that seem to be Akamai CDN servers (on this org's ISP network). Their firewall is blocking it however.

Is there a way to find out what they are actually connecting to? On the PC i am using, I see the several connections will be made over a span of 10 minutes a few times throughout the day, so I am unable to just start a packet capture. I happens when a user is logged off as well. it looks like its happening over port 80, but when I visit that that IP over http I just get "Invalid URLThe requested URL "[no URL]", is invalid. "

I suspect is something innocent (like software updates), but I'd still like to figure it out.
 
Last edited:
Won't Checkpoint Firewall log show what destination server IP and it's resolved name / URL / service or protocol / ports the source PC trying to reach?

And if a web server is not configured to redirect invalid URL to another web page, you are going to get an invalid URL or page not found error even if the web server is running.
 
Last edited:
mxnerd said:
Won't Checkpoint Firewall log show what destination server IP and it's resolved name / URL / service or protocol / ports the source PC trying to reach?

And if a web server is not configured to redirect invalid URL to another web page, you are going to get an invalid URL or page not found error even if the web server is running.
Click to expand...

It’s does give some info, but it’s just an IP (with reverse DNS), and port 443/80 and I don’t see anything else. The IP and reverse DNS look like servers hosted on our ISP’s network, and are registered to out ISP and Akamai, but I have no idea how to find out anything beyond that.

My PC is making a port 80/443 connection to those IPs over night, without being logged in. How do I narrow down to what it is specifically (again likely just software updates but how can I be sure)?

Thanks for the utility tip Jack, the one challenge is I don’t know when it will happen so short of launching it and staring at it all day I can’t be sure when I’ll see it. The alternative is something that can log, then allow me to do a filter search, but running a PCap all day would probably crash my PC.
 
If you don't want to use PCap/Wireshark,

Fiddler or mitmproxy might help.

But not familiar with them.

Not sure if they provide summary.

There will be tons of info though.
 
Last edited:
You must log in or register to reply here.

TRENDING THREADS

Back
Top