09-23-2016 08:48 AM
Was curious if anyone has experienced any issue with RAPs generating erroneous traffic through its tunnel, to the Internet. Long story short, we have a policy on our firewalls that blocks outbound traffic to known bad IP addresses on the Internet. When running a query of any hosts that have hit that policy, several RAPs show up. The public IP address of the RAP is shown to be pinging specific malicious, known bad IP addresses on the Internet.
Question...does a RAP do anything else, other than tunnel through the Internet back to the controller? Does it participate in any other possible traffic? The source IP address in the firewall is showing as the RAP's public IP, which is odd because if it terminates on the controller, you would think the controller's internal IP address would be the IP address listed as the source going out to the bad IP addresses.
Here is what I'm seeing:
Source address of 22.214.171.124 is a RAP. Destination IP 126.96.36.199 is malicious.
Makes no sense, but throwing it out there for comment.