cloud1
cloud2
cloud3
cloud4
cloud5
cloud6
← Back to catalog
code fwprobe

Firewall/VPN Console Probing

Syndu annotates all incoming traffic and extracts behavioral signals that help explain intent. This page defines the fwprobe signal — what it means, how to interpret it, and how it will later connect to live evidence across IPs, subnets, organizations, ISPs, countries, and cities.

Signal gist Requests match known firewall, VPN, and gateway admin/login surfaces or client artifacts, indicating explicit probing of security-device endpoints.
Read the definition → View live signal sections →

Definition

Canonical reference for fwprobe behavior.
Catalog code
fwprobe
Display name
Firewall/VPN Console Probing
How to read this signal
This annotator represents a behavioral pattern, not a claim of identity. It’s designed to help you understand why certain traffic looks suspicious, automated, probing, or exploit-oriented — and to support consistent reporting across the Syndu system.
Explanation
Flags requests that hit known firewall, VPN, and gateway management or login surfaces such as Fortinet remote-login paths, Palo Alto GlobalProtect portals, Cisco ASA/WebVPN prefixes, F5 TMUI routes, Pulse/Ivanti auth paths, and similar vendor-specific endpoints. It also emits on distinctive firewall/VPN client user agents, while generic keywords like "firewall" or "vpn" only count when combined with other hints such as 401/403 responses. This annotator is meant to surface informed attackers and scanners explicitly probing security-device consoles and portal surfaces, not generic payload injection. Interpret alongside scan velocity, Never-200-like behavior, and credential brute-force signals.

Live sections

These panels will be wired to real metrics, enrichment context, and drill-down links.
Signal footprint over time
Rolling volume, bursts, first/last seen, and time-window slices (e.g. last hour/day/week). This will help separate chronic background noise from active campaigns.
Coming next: time series + burst markers
Top affected entities
Links to the entities where fwprobe is most present: IPs, subnets, organizations/ASNs, ISPs, and geographies — with “why” context.
Coming next: entity leaderboards + drill-down
Enrichment context
How enrichment affects interpretation: known crawlers, monitored ranges, trusted scanners, or policy exceptions. This is where “benign but noisy” gets separated from “unknown and risky.”
Coming next: enrichment flags + allowlist context