I see a system log warning message similar to "Caution: have detected 200 accesses to IP address xx in the last 15 mins"

Article #: Product Castle
KB-93 Firewall Inverness


A solution to the issue of receiving a warning about excessive accesses to an IP address.


I have warning messages in the system log similar to "1D073503: Caution: have detected 200 accesses to IP Address" in the last 15 minutes’


There are two resolution options available:

Option One

Stop the system responding to those messages

You need to change the following 3 options:

Network > Settings > Advanced > Bad External Traffic - Currently Reject, Change to Drop.

Network > Firewall > Firewall rules > Catch-all Section > Default rule - Currently set to Reject, change it to Drop.

Changing from Reject to Drop means the remote device making the requests no longer gets a response telling it it's been rejected. This may help reduce volume of hits on ports if that remote device either gives up trying to send, or takes a long time to time-out between requests.

Dropping traffic, particularly on an internal interface, can have a negative effect of making it harder to troubleshoot problems.

Note: This options doesn't actually affect the alerts directly.

Option Two

Configure Alerts:

Reports > Alerts > Alert settings > Firewall Notifications, increase the 4 incident threshold values from the default, for example change from 200 to 2000.

Note: This option will directly change how frequently alerts are generated.


Last updated: Author: Contributions by:
24 March 2017 Jay Neil Suzie Knight