Hey all,

This is totally in theory and not sure if it is possible. Or it may have already been tested but I cannot find an answer.

Background: I was doing some remote pen testing on my companies network and decided to not go the stealth route during nmap scans. During the scanning my firewall (WatchGuard x700) noticed the heavy scan traffic and banned my remote IP from all access and traffic.

Topology: I have about 3 VPN tunnels going to different locations.

Question: If I were to use the Nmap decoy function and scan the main office WatchGuard x700 with the decoy addresses of some of the remote office VPN end points, would this cause the VPN tunnels to be dropped? Would it allow the scan since the WatchGuard knows that its a legitimate VPN tunnel and ignore the traffic?

In other words, If I scanned the WatchGuard with a spoofed IP address of one of my remote VPN offices, would it drop any traffic like it did when I did my namp scans from home thinking it was malicious traffic? And would that cause the tunnel to drop?

The reason I an asking is to see in theory if that would cause a DoS since remote users would be severed from the main office?

I will probably try this out when I get a chance, the lockout time is 30 minutes so it insnt long term and I can unblock if I need too. Just wondering if the WatchGuard or any firewall would do..

Thanks!! Looking forward to your thoughts :-)