Overview
While reviewing System Logging, you have noticed unusual File does not exist
entries from a certain IP address.
[error] [client <IP_address>] File does not exist: /opt/tms/www/ams/perl.exe [error] [client <IP_address>] Client sent malformed Host header [error] [client <IP_address>] File does not exist: /opt/tms/www/ams/login [error] [client <IP_address>] File does not exist: /opt/tms/www/ams/nessus\\..\\..\\..\\..\\..\\..\\winnt\\win.ini
This might happen due to port or vulnerabilities scanning for the Exinda device.
This article provides information on how to overcome such Error messages.
Solution
Internal IP in logs
If the IP address appears to be internal local (i.e. 10.10.x.x
, 172.14.x.x
, or 192.168.x.x
), most probably, the vulnerability scanner, such as Nessus, is running against the Exinda appliance to verify no security threats are presented.
If that is the case, it's recommended to exclude Exinda installation from the vulnerability scanner's targets, once the Security Assessment is completed. If the scanner is running constantly, it might cause performance issues together with spikes in TCP System Health for Internal Hosts.
Tip: you can resolve high spikes by executing ddos tcp ignore
through Exinda CLI.
External IP in logs
If the IP address appears to be coming from an external Network (random public IP coming from the same or different country), it can be added to the Discarded traffic policy.
- Add new network object through Configuration > Objects > Network:
- Name: Suspicious IPs
- Location: External
- Subnets: <ip_address>/<mask>
- Create a policy in Configuration > Optimizer > click Create New Policy
- Policy name: Discard IP
- Action: Discard
- Filter Rules > Source = Suspicious IPs
- (Optionally) Enable block option "Discard only the first packet of a connection"
- Click Add New policy.
- Save config changes and Restart optimizer.