Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 594 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

7.006 Web Surfing killed by IPS going insane

AdrienBelcourt
FYI:---   Don't know if anyone else has had this, but at 12:01 our customer lost web surfing capability completely on their 7.006 firewall.  

- Looking at the Management Report showed that the swap usage dropped from 20% to Zero at the time of failure.  Also Concurrent Connections dropped from an average of 600 to less than 100 at the time of failure.  Intrusion protection events dropped to Zero following failure of the surfing.  
- Turning off Web Protection (transparent mode) made no difference.  
- Rebooting made no difference.
- IDS was mal-configured with ANY as the local networks.  Fixed that.  No difference.
- Turned off IDS.  No difference.
- In the end looked at logs and IDS was showing the following from the time of failure 12:00 till problem resolved

2007:08:09-12:01:24 (none) barnyard[3751]: Waiting for new data
2007:08:09-12:01:40 (none) barnyard[3751]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="P2P WinNY connection attempt" group="0" srcip="172.16.16.49" dstip="129.9.155.222" proto="6" srcport="1574" dstport="443" sid="0" class="Potential Corporate Privacy Violation" priority="1"  generator="3" msgid="0"
2007:08:09-12:01:41 (none) barnyard[3751]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="P2P WinNY connection attempt" group="0" srcip="149.254.196.184" dstip="172.16.1.33" proto="6" srcport="1147" dstport="1723" sid="0" class="Potential Corporate Privacy Violation" priority="1"  generator="3" msgid="0"
2007:08:09-12:01:42 (none) barnyard[3751]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="P2P WinNY connection attempt" group="0" srcip="172.16.16.7" dstip="172.16.1.2" proto="6" srcport="2905" dstport="8080" sid="0" class="Potential Corporate Privacy Violation" priority="1"  generator="3" msgid="0"
2007:08:09-12:01:42 (none) barnyard[3751]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="P2P WinNY connection attempt" group="0" srcip="172.16.16.86" dstip="172.16.1.2" proto="6" srcport="3653" dstport="8080" sid="0" class="Potential Corporate Privacy Violation" priority="1"  generator="3" msgid="0"
2007:08:09-12:01:43 (none) barnyard[3751]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="P2P WinNY connection attempt" group="0" srcip="172.16.16.5" dstip="172.16.1.2" proto="6" srcport="2010" dstport="8080" sid="0" class="Potential Corporate Privacy Violation" priority="1"  generator="3" msgid="0"
2007:08:09-12:01:43 (none) barnyard[3751]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="P2P WinNY connection attempt" group="0" srcip="172.16.16.123" dstip="172.16.1.2" proto="6" srcport="1552" dstport="8080" sid="0" class="Potential Corporate Privacy Violation" priority="1"  generator="3" msgid="0"
2007:08:09-12:01:43 (none) barnyard[3751]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="P2P WinNY connection attempt" group="0" srcip="172.16.16.93" dstip="172.16.1.2" proto="6" srcport="2832" dstport="8080" sid="0" class="Potential Corporate Privacy Violation" priority="1"  generator="3" msgid="0"
2007:08:09-12:01:44 (none) barnyard[3751]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="P2P WinNY connection attempt" group="0" srcip="149.254.196.184" dstip="172.16.1.33" proto="6" srcport="1147" dstport="1723" sid="0" class="Potential Corporate Privacy Violation" priority="1"  generator="3" msgid="0"
2007:08:09-12:01:45 (none) barnyard[3751]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="P2P WinNY connection attempt" group="0" srcip="172.16.16.86" dstip="172.16.1.2" proto="6" srcport="3653" dstport="8080" sid="0" class="Potential Corporate Privacy Violation" priority="1"  generator="3" msgid="0"
2007:08:09-12:01:46 (none) barnyard[3751]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="P2P WinNY connection attempt" group="0" srcip="172.16.16.5" dstip="172.16.1.2" proto="6" srcport="2010" dstport="8080" sid="0" class="Potential Corporate Privacy Violation" priority="1"  generator="3" msgid="0"


- What resolved the situation was disabling both P2P and IM detection.  Not sure which made the difference.
- Re-enabled Web Proxy - worked fine.

Going to downgrade to 7.005 with an ISO which will happen tonight.  Partly because the management reporting is broken on 7.006, but also because we feel 7.006 is has too many problems.  Going to wait for 7.007 before going forward.

Best Regards,


This thread was automatically locked due to age.
Parents
  • 0
    Same thing happened here, lost all web surfing...My fix was to unblock the "Winny" protocol in IM/P2P Security-->Peer to Peer (P2P).

    Switched it back to "block" today and all appears to be working fine.  BTW..I'm now running on pattern 3976, but I'm not sure what pattern updated fixed it.
Reply
  • 0
    Same thing happened here, lost all web surfing...My fix was to unblock the "Winny" protocol in IM/P2P Security-->Peer to Peer (P2P).

    Switched it back to "block" today and all appears to be working fine.  BTW..I'm now running on pattern 3976, but I'm not sure what pattern updated fixed it.
Children
No Data