It would appear that way at first glance, but SQL uses TCP-1433, not UDP. The first number is the source port, which can be anything between 1024 and 5000; the second number is the destination port. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/pages/author_index.asp?aut=3 http://isatools.org Read the books! ----- Original Message ----- From: <mlefe@xxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, September 11, 2002 7:22 AM Subject: [isalist] Re: HELP : ISA Packet Filter log fills up - What can I do to eliminat e these entries in the PF log ? http://www.ISAserver.org Looks like someone is trying to get to a SQL server using udp, Sql uses port 1433 by default. Mike Lefebvre mlefe@xxxxxxxxx -----Original Message----- From: jim@xxxxxxxxxxxx [mailto:jim@xxxxxxxxxxxx] Sent: Wednesday, September 11, 2002 9:32 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: HELP : ISA Packet Filter log fills up - What can I do to eliminat e these entries in the PF log ? http://www.ISAserver.org This is ISA trying to resolve the name (UDP-137 is NetBIOS name broadcast). Since it's a FW client that's making the calls, it's generally ISA that has to perform name resolution for the client. The entries themselves only indicate that you may want to investigate your DNS configuration. They may also indicate that there's no reverse-resolution available for that remote IP. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/pages/author_index.asp?aut=3 http://isatools.org Read the books! ----- Original Message ----- From: "FRAEYE MIKE" <Mike.Fraeye@xxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, September 11, 2002 12:52 AM Subject: [isalist] HELP : ISA Packet Filter log fills up - What can I do to eliminat e these entries in the PF log ? http://www.ISAserver.org Hi all, The following lines keep filling up my PF log. (20 entries a minute): 11/09/2002 8:58:32 172.XXX.YYY.246 195.XXX.YYY.100 Udp 1433 137 - BLOCKED 172.21.172.246 45 00 00 4e 09 bf 00 00 80 11 00 00 ac 15 ac f6 c3 4a c3 64 05 99 00 89 00 3a 4c 19 11/09/2002 8:58:30 172.XXX.YYY.246 195.XXX.YYY.100 Udp 1433 137 - BLOCKED 172.21.172.246 45 00 00 4e 09 bc 00 00 80 11 00 00 ac 15 ac f6 c3 4a c3 64 05 99 00 89 00 3a 4c 1b ... More Info: 172.XXX.YYY.246 External NIC ISA 195.XXX.YYY.100 FTP site On a client there's a script running for FTP download via the Firewall Client. The FTP passes without a problem. Is this behaviour normal or what can I do to eliminate these entries in my log files. Any help is well appreciated ;-) Thanks in advance, Mikey, Belgium ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: mlefe@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')