Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 6827 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DHCP Block Flooding Firewall Logs

IT-Support-247

Hi all,


We have an XG210 running SFOS 16.05.8 MR-8.


We've got issues where the firewall log is constantly flooding with DHCP related stuff. Here is part of that log:


Log Comp: Local ACL
Action: Denied
Firewall Rule: 0
In Interface: Port1
Source IP: 192.168.1.1 :UDP (68)
Destination IP: 255.255.255.255 :UDP (67)

I have no idea why or where these are coming from. We do not have any DHCP servers setup at this location/site. The issue is that these logs are making it difficult to see legitimate blocks and threats.

If anyone has any ideas, I'd be grateful.



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    This is assuming that your 192.168.1.1 address is the interface IP of your gateway. This traffic is caused by a DHCP client on that network creating a DHCP broadcast to any possible servers to request an IP, the entry you see in your log is the DHCP offer being dropped by your firewall. I would like to mention that the log viewer has been updated on v17 to include more log filtering options for easier viewing. 

    Regards,

    FloSupport | Community Support Engineer

  • 0 in reply to FloSupport

    Thanks for your reply.

    Well I've traced the dhcp requests and they're coming from my ipsec VPN to our main office. I haven't enabled any dhcp relaying through the VPN but I will do some more digging tomorrow.

    Thanks again.

  • 0 in reply to IT-Support-247

    This issue is still ongoing.

    This screenshot below is what appears every 10-20 seconds. It floods our Packet Captures in 1 second and makes the captures pointless.

    It still happens with VPN disabled as well (I previously mentioned this might have been the cause).

    I have disabled DHCP everywhere, but it still gets flooded. I've tried creating rules to allow this traffic, but no luck.

    Anyone else seen this? Driving me mad.

Reply
  • 0 in reply to IT-Support-247

    This issue is still ongoing.

    This screenshot below is what appears every 10-20 seconds. It floods our Packet Captures in 1 second and makes the captures pointless.

    It still happens with VPN disabled as well (I previously mentioned this might have been the cause).

    I have disabled DHCP everywhere, but it still gets flooded. I've tried creating rules to allow this traffic, but no luck.

    Anyone else seen this? Driving me mad.

Children