16
Zenarmor (Sensei) / Re: Local vs Remote confusion
« on: January 06, 2023, 02:17:10 am »
Some extra detail...
The "Table of Local Assets" shows IP addresses (untranslated IP addresses) from LAN and DMZ, so this looks right.
The "Table of Remote Hosts" shows only the two default gateway IP addresses (one for the LAN interface and one for the DMZ interface). Perhaps this is expected, but if so it doesn't seem particularly useful.
I did just realise that using the drilldown and session detail feature from the Top Local Hosts tries to use these as the source address, and since most of these are Internet destination addresses this produces empty results. (Ditto the Top Remote Hosts searching for destinations using source addresses.) Which is a relief, it suggests local and remote do mean what I think they mean, and it's ZenArmor that's having an inconceivable moment.
Note that doing a drilldown or session detail from "Top Local Server Ports" searches for a destination port, which makes sense because servers are destinations by definition I would have thought, but of course finds records in which the destination IP is Internet (remote). "Top Remote Ports" also searches for destination port, which also makes sense, but in my case finds only destination IPs on the LAN or DMZ (for port 53 because of my DoT set up). But then the filtering from these reports is a bit suspect anyway, since filtering only by destination port is not going to give local vs remote distinction anyway, and that is what I'm seeing when I use this on ports used on both local and remote servers.
The "Table of Local Assets" shows IP addresses (untranslated IP addresses) from LAN and DMZ, so this looks right.
The "Table of Remote Hosts" shows only the two default gateway IP addresses (one for the LAN interface and one for the DMZ interface). Perhaps this is expected, but if so it doesn't seem particularly useful.
I did just realise that using the drilldown and session detail feature from the Top Local Hosts tries to use these as the source address, and since most of these are Internet destination addresses this produces empty results. (Ditto the Top Remote Hosts searching for destinations using source addresses.) Which is a relief, it suggests local and remote do mean what I think they mean, and it's ZenArmor that's having an inconceivable moment.
Note that doing a drilldown or session detail from "Top Local Server Ports" searches for a destination port, which makes sense because servers are destinations by definition I would have thought, but of course finds records in which the destination IP is Internet (remote). "Top Remote Ports" also searches for destination port, which also makes sense, but in my case finds only destination IPs on the LAN or DMZ (for port 53 because of my DoT set up). But then the filtering from these reports is a bit suspect anyway, since filtering only by destination port is not going to give local vs remote distinction anyway, and that is what I'm seeing when I use this on ports used on both local and remote servers.