This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Community FAQ
Register | Log In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Lansweeper Community
- Forums
- General Discussions
- Re: Firewall detects traffic to recognition.lanswe...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Register to ask a question, start a topic or share an idea
Join the Community
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-13-2023
03:45 PM
- last edited on
04-12-2024
11:05 AM
by
Mercedes_O
Hello,
Is the endpoint at recognition.lansweeper.com/3/devrecog using log4j?
Palo alto is classifying this traffic from our on-prem LS instance to the above endpoint as a critical vulnerability (2 threat IDs), and will be blocked once we turn up our vulnerability protection profile settings. Any idea why Palo is seeing this outbound traffic as a threat?
thanks
Solved! Go to Solution.
Labels:
- Labels:
-
General Discussion
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2023 08:45 AM
Hello there!
The Lansweeper services running locally on your Lansweeper server will not send out any Log4j-related traffic. We have thoroughly investigated our internal and customer-facing systems, the software we deliver, and its components and interactions. None are directly affected by the log4j vulnerability. Some of our cloud systems have been indirectly affected due to running on AWS, which AWS has since patched.
The URL in particular, https://recognition.lansweeper.com, is used by your scanning service in the context of credential-free device recognition (CDR):
This endpoint does not use a log4j v2 library, LDAP auth, or the JNDI API. However, it has a component utilizing a log4j library of an unaffected version without calling any of the affected protocols, functions, or methods. If you see a detection related to this URL, it can be deemed a false positive.
It is essential to remember that if you're running external vulnerability scanners, these may currently be sending out test connections or even injecting strings into your ongoing connections to probe and check for the Log4Shell vulnerability. For example, we've had some reports from customers where their vulnerability scanner injected strings into their connections to external Lansweeper endpoints, causing their firewall to flag the connections as vulnerable and preventing them. In other words, vulnerability scans and probes from system A might cause security system B to detect them as a vulnerability.
Lastly, since your internal security equipment is blocking your scan server access to recognition.lansweeper.com, you might receive a notification in Lansweeper that CDR is not working/has no access to the internet. To resume the functionality of CDR, you will need to allow traffic to the following endpoints:
- The recognition endpoint: https://recognition.lansweeper.com/3/devrecog
- The license authentication endpoint: https://authentication.lansweeper.com
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2023 08:45 AM
Hello there!
The Lansweeper services running locally on your Lansweeper server will not send out any Log4j-related traffic. We have thoroughly investigated our internal and customer-facing systems, the software we deliver, and its components and interactions. None are directly affected by the log4j vulnerability. Some of our cloud systems have been indirectly affected due to running on AWS, which AWS has since patched.
The URL in particular, https://recognition.lansweeper.com, is used by your scanning service in the context of credential-free device recognition (CDR):
This endpoint does not use a log4j v2 library, LDAP auth, or the JNDI API. However, it has a component utilizing a log4j library of an unaffected version without calling any of the affected protocols, functions, or methods. If you see a detection related to this URL, it can be deemed a false positive.
It is essential to remember that if you're running external vulnerability scanners, these may currently be sending out test connections or even injecting strings into your ongoing connections to probe and check for the Log4Shell vulnerability. For example, we've had some reports from customers where their vulnerability scanner injected strings into their connections to external Lansweeper endpoints, causing their firewall to flag the connections as vulnerable and preventing them. In other words, vulnerability scans and probes from system A might cause security system B to detect them as a vulnerability.
Lastly, since your internal security equipment is blocking your scan server access to recognition.lansweeper.com, you might receive a notification in Lansweeper that CDR is not working/has no access to the internet. To resume the functionality of CDR, you will need to allow traffic to the following endpoints:
- The recognition endpoint: https://recognition.lansweeper.com/3/devrecog
- The license authentication endpoint: https://authentication.lansweeper.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2023 03:48 PM
I appreciate the info. We arent scanning endpoints. This is being detected in the outbound traffic flow from an on-prem instance of lansweeper to that internet based recognition endpoint. we arent blocking the traffic yet, but it came up when auditing what traffic would be affected once we do turn up the vulnerability protection profile on our firewall.
it may be helpful to reach out to Palo Alto to figure out why their firewalls see this traffic as a critical severity vulnerability detection. could possibly get an 'app-id' assigned to lansweeper traffic too. 🙂
thanks again!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-08-2024 01:53 AM
This was categorized by Fortinet's Web Filter as "adult materials" and the blocks showed up on our SIEM's console, didn't even know it was a thing. This was as of 5/7/24. Had to exempt in a custom category. Hah!
General Discussions
Find answers to technical questions about Lansweeper.
New to Lansweeper?
Try Lansweeper For Free
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now
Related Content
- Delete assets with "NEW" IT/OT sensor in Product Discussions
- Prioritize Smarter: How Lansweeper’s New EPSS Scores Empower Better Vulnerability Management in Product Announcements
- Trend report in Reports & Analytics
- We’re taking IT Asset Management to the Next Level with the New Lansweeper Apps for JSM! in General Discussions
- Lansweeper Community Highlights October 2024 in General Discussions
