Firewall model: Sonicwall NSA2400.
I am trying to figure out our firewall to diagnose a possible breach. We have a current rule active to deny all WAN to all LAN for all protocols. I just want to be sure that this would deny anything that is not specifically set to be allowed by other rules, correct?
I am currently seeing an active connection coming in from another country. However, while I see it in the connections monitor, there is nothing in the logs for the IP (handshake, ack). How is this possible if we have everything denied and why does nothing show up in the logs if it shows up in the connections monitor? When I try to "flush" the connection, I get the alert "Not Found" and when I refresh, the connection remains. I am also seeing TX and RX from the connection.
The only connections allowed outside the access rules is an active VPN tunnel for another company. I don't know if this is a security issue or if I just don't understand the firewall well enough (I am the in-house Tier 1, the Tier 2 guy is out of the country).
Any help would be GREATLY appreciated.