I see a system log warning message similar to "Caution: have detected 200 accesses to IP address xx in the last 15 mins"

Article #:

Product

Castle

KB-93

Firewall

Inverness

Summary

A solution to the issue of receiving a warning about excessive accesses to an IP address.

Problem

I have warning messages in the system log similar to "1D073503: Caution: have detected 200 accesses to IP Address 206.219.67.2" in the last 15 minutes’

Solution

There are two resolution options available:

Option One

Stop the system responding to those messages

You need to change the following 3 options:

Network > Settings > Advanced > Bad External Traffic - Currently Reject, Change to Drop.

Network > Firewall > Firewall rules > Catch-all Section > Default rule - Currently set to Reject, change it to Drop.

Changing from Reject to Drop means the remote device making the requests no longer gets a response telling it it's been rejected. This may help reduce volume of hits on ports if that remote device either gives up trying to send, or takes a long time to time-out between requests.

Dropping traffic, particularly on an internal interface, can have a negative effect of making it harder to troubleshoot problems.

Note: This options doesn't actually affect the alerts directly.

Option Two

Configure Alerts:

Reports > Alerts > Alert settings > Firewall Notifications, increase the 4 incident threshold values from the default, for example change from 200 to 2000.

Note: This option will directly change how frequently alerts are generated.

Attribution:

Last updated:

Author:

Contributions by:

24 March 2017

Jay Neil

Suzie Knight

 

 

Copyright © 2000-2016 Smoothwall All rights reserved.