Server Management - Systems Insight Manager
Showing results for 
Search instead for 
Did you mean: 

Daily System Identification causes port scan from DMZ

Regular Advisor

Daily System Identification causes port scan from DMZ

The scheduled job for daily system identification runs at the default time of 4:05PM every day.

I have a very small number of servers and it doesn't effect performance at all, so I don't really care to change the run time.

However, I have SIM manage the few systems we have in the DMZ at two different sites. All routing, firewall and VPN services are provided by a SonicWALL Pro2040 at each site. The SonicWALL at the site that houses our production systems (including the SIM 5.1 server) alerts me every day at 4:05 that the one server in that site's DMZ (our production web server for a hosted J2EE application) is attempting a port scan back to the SIM server. I'm not worried about it being a security problem, as it is obviously being generated by this SIM job, but I just want to get rid of the "wolf cry".

The interesting thing is, the two web servers at the backup site, that are identical in every way to the production server, don't generate this error from that sites' SonicWALL.

Anyone else have a similar configuration / issue?
Honored Contributor

Re: Daily System Identification causes port scan from DMZ

Hi Andrew,

You should try and resolve this instead of masking as there might be a small chance it might be real in the future.

Whats interesting is my your webserver is reported to be doing the scan when it should be the SIM server.

Whats running on this webserver other than your web application?

Or why not remove the webserver from SIM ID scan?

Regular Advisor

Re: Daily System Identification causes port scan from DMZ

I definitely don't want to mask the problem, I want to understand it.

Here's the error from the SonicWALL:

05/22/2007 16:05:12.368 - Alert - Intrusion Prevention - Possible port scan detected -, 9990, X2 -, 3969, X0 - TCP scanned port list, 3916, 3926, 3929, 3954, 3963

11.3 is the DMZ web server
10.9 is the SIM server

The web server is generating the scan from port 9990.

Another good question is: What exactly is the Daily System Identification job doing?