Addressing TCP Wrapping/Open Ports on Certain Firewalls Causing Assets Misdetection
This article provides guidance on how to disable TCP Wrapping or Default Open Ports on certain firewalls that cause asset misdetection in Secureworks® Taegis™ VDR.
Certain firewalls either do TCP Wrapping or simulate responses on some specific ports, causing VDR to detect potential responding hosts when auto-discovering across network zones.
Typical ports affected are Port 2000, Port 5060, and Port 5061, but there might be other ports affected as well.
Fortinet Firewalls ⫘
This issue is especially present with Fortinet Firewalls’ default configuration. The following documentation addresses this issue:
- https://forum.fortinet.com/tm.aspx?m=154963
- https://www.reddit.com/r/fortinet/comments/7ajpyi/voip_anyway_to_stop_the_fortinet_from_opening/
Cisco Firewalls (ASA/ADSM) ⫘
This issue can be present with certain Cisco Firewalls, especially the ASA module (or ADSM) that has a few threat protections that can be enabled.
It is possible to reduce the impact of the misdetection of hosts by safelisting our IP range in the ASA appliance threat-detection module with a similar command as this one:
threat-detection scanning-threat shun except ip-address 216.9.204.0/22
Note that the issue could also be due to the rate at which the ASA module accepts embryonic connections, for which the rate can be adjusted, according to the following manual section: