FirewallFortinet

How to Detect Suspicious IPs in Firewall Logs

Sanjay Seth
May 25, 2025
256 0
0
149
5
Shares
1
Detect and block suspicious IPs using firewall logs.

How to Detect Suspicious IPs in Your Firewall Logs and Tighten Network Security

So here I am at my desk after my third coffee and I remember why I entered this cybersecurity world some several decades ago in the early 2000s. If you’re anything like me, getting my start as a network admin in ’93 wrangling PSTN voice & data mux stuff followed by watching all-the-things get destroyed in the Slammer worm days, you understand the importance of chasing the threat curve. In this article, I’ll share a few practical pearls on how to detect suspicious IPs in your firewall logs and run your network tighter than a 50+ year old car’s engine.

How to Identify Enigmatic Traffic

Consider this: The logs aren’t just dry text but instead living stories of who is trying to make it in (or out). But not all traffic is the same. Finding attacker IPs is what we need to read between the lines for. When I recently assisted those three banks with their zero-trust architecture I realized one thing that was consistent among all three: most attacks generally linger in the “gray zone” where they’re ready to strike.

What I look for first:

  • Abnormal frequency of connections. What if an IP 100 times in 5 minutes? That’s a red flag.
  • Odd ports accessed. I’ll wager it’s not your garden-variety user attempting to connect to TCP port 31337.
  • Several unsuccessful authentications. Bruteforce or credential stuffing typically have a signature.
  • Scanneable patterns. Many other ports, single IP.

And yeah, yes, perhaps an IP looks fishy but it is a valid service that happens to do day-to-day operations. Context matters, so don’t block first and ask questions later — or you may end up breaking your own system. Been there, done that (ouch).

Geo-Blocking Risky Areas

Okay, this one makes some people hot under the collar — but delisting whole countries is not always reasonable. But hear me out. After having read through so many logs and incident reports over the years, some areas always rise to the top with regard to malicious IP activity (I’m sure you want to make a guess, and yes, I mean the usual suspects).

Yet, geo-blocking is another tool that can help you save time and resources, keep your firewall logs down to a manageable size, and stop making your analysts grumpy. But:

  • Use geo-blocking smartly. Don’t wantonly slam the door on whole continents.
  • Integrate with geo-blocking and real-time threat intel feeds.
  • Keep in mind that attackers can use proxies or VPNs — so it’s not a foolproof defense.

In those days I would joke that cybercriminals are like nosy cabdrivers — if you block their most traveled routes, they claim a back alley. However, a good geo-block puts that alley behind a blockade.

Leveraging Threat Intelligence Feeds

Your current mode of running a security operation without using cyber threat intelligence would be like biking without brakes – take it from me. At P J Networks, we pump multiple threat intel feeds into our IP monitoring tools, so we’re not assuming what is bad, we’re knowing it from community-sourced, validated sources.

Here’s what good threat intelligence gets you:

  • Fresh lists of malicious IPs related to botnets, phishing, C2 servers.
  • Context—such as the type of attacks it has emanated from an IP.
  • Confidence scores to help prioritise blocking.

But — and I put this plainly — I am skeptical of any solution that claims to be 100 percent AI and has zero human involvement. AI is amazing — but it can be trained to spit out false positives, or worse yet, false negatives, if it’s not policed by mature analysts. That only flies with good training data and domain expertise.

Automating IP Blacklists

Manually banning IPs is as effective as slowing down a waterfall with a colander. Here is where automation can really help. We designed our IP blacklist management to integrate with firewall logs like a hand in glove, so when a flakily sinister IP crosses the line, our systems don’t just throw us an alert — we dance.

Here’s my brief list for automation:

  • Automatically analyze firewall logs for IOCs.
  • Cross-reference IPs against a number of threat intelligence sources.
  • Drop the IPs you’re suspecting directly in the firewall/blocking rules.
  • Continually review, update and maintain blacklists dynamically — with human control, of course.

I know some folks make the case that automation results in overblocking and interferes with business. And yeah, you gotta find a way to balance sensitivity and usability. But based on what I’ve observed at those banks? The automated blacklisting was catching threats before they escalated into incidents. And honestly, people don’t value sleep enough.

Logging IP-Based Attacks

Here is the secret no one speaks about enough—logging isn’t only a matter of accumulating data. It is also about quality logging. You’ve got to know what questions to ask when inspecting IP addresses in logs. Without that, it’s just too much noise.

When setting up logging:

  • Make sure your logs record source IP, time stamp, port, protocol and status code.
  • Centralize your log management — otherwise, you’ll spend your day hopping from one location to another.
  • Correlate logs of firewalls/IDS/IPS/endpoints.
  • Conduct regular log audits to clear out any stale or unhelpful info.

N.B. in the ’90s, “logging” referred to black console screens and infinite text files. Now we have dashboards and real-time alerts, though the ethos is the same: if you can’t see it, you can’t kill it.

Quick Take

  • Monitor the IP hit count and pattern in the firewall logs.
  • Be smart about geo-blocking—don’t go nuts with it but use it to cut down on the noise.
  • Incorporate cyber threat intelligence feeds but be skeptical of AI-enabled hype.
  • Automate blacklists to catch up with changing threats, but include human checking.
  • Invest in good centralized logging for effective incident responses.

And going off the road I’ve ended up in the ditch of this — cybersecurity is like fine-tuning a vintage car. Too tight and it’s not going to run, too loose and you’re flirting with a breakdown on the freeway. Think of your firewall logs as the diagnostics of your engine. If you know how to read them, you can keep your network running fairly smoothly — even if the bad guys floor it in your direction.

And should you ever want to learn more about how P J Networks stays on the cutting edge of IP threat monitoring and firewalls in the locked down position, you know where to find me. As I can tell you, I’m still stoked from DefCon’s hardware hacking village—because sometimes, to stop the new attack, you have to understand how the bad guys are creating the latest tool.

One more thing: don’t get complacent when it comes to your password policies. But that’s an argument for another day. For now, stay suspicious. And keep your logs even more suspicious.

Sanjay Seth
Cybersecurity Advisor, P J Networks Pvt Ltd

Sanjay Seth

Sanjay Seth

What's your reaction?

Related Posts

1 of 239
© 2025 Fortinet Firewall CyberSecurity Networksecurity PJNetworks NAC Solution Blog - Fortinet Firewall CyberSecurity Networksecurity PJNetworks NAC Solution Blog by Sanjay Seth.
© 2025 Fortinet Firewall CyberSecurity Networksecurity PJNetworks NAC Solution Blog - Fortinet Firewall CyberSecurity Networksecurity PJNetworks NAC Solution Blog by Sanjay Seth.