Firewall service unavailable !!

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: sandaruwan (lewiss_at_zillione.com)
Date: 07/05/04 

Date: Mon, 5 Jul 2004 07:23:57 -0700

HI "theload"
i would like you to ask to check basic configuration.
1. check your LAT table weather that you have only
included the Local ip range?
2.check weather have you enable the packet filters?
3.just for the moment block that 2 ip address full access
to the network?
4. this can be happend if ur isa server become open proxy
server . i faced that problem and wht i was done is
reimplement the isa server

if you can post it ur new status, that will be great

sandaruwan
 
>-----Original Message-----
>hi there,
>
>i have ISA 2000 installed on a server.
>one day, i checked the monitoring and found the Firewall
Service unavailable.! so i started the service. after
about 3 to 4hrs, it became unavailable again!!. so, i
started monitoring the service and found out that there
are many firewall sessions "(about 300 - 600 in the
services monitoring)", i checked the "sessions monitoring"
and there is only 2 firewall sessions! i was shocked that
2 firewall sessions are causing this. when i "abort
session" those IPs, when i go back to the Services, the
sessions went back to 2. those IPs doesn't belong to the
internal network. this is 1 of the IPs, 66.36.240.144 and
the other starts with 24.x.x.x.
>
>and i've noticed when i keep the sessions go up in
numbers, the firewall service becomes unavailable. i
checked the firewall log file and found out those 2 IPs
are trying to attack port 25 from any port. so i made an
IP Packet Filter for port 25. but that didn't work.
>
>can someone please give me a hint on what to do? i'm
facing this problem since about 1 month and i've been
searching here and there, i even posted a thread in
isaserver.org, but no answer.
>
>i'll be thankful
>.
>

Relevant Pages

  • RE: Sessions Resource Exhaustion
    ... it does not mean the IPS and/or Firewall is vulnerable... ... If the limit differs of the specification then you have a design flaw, ... Just to add more in this topic, I want to point that sessions limitations is ...
    (Focus-IDS)
  • RE: location of an IPS
    ... As to where to deploy an IPS, in my opinion this depends greatly on what ... When placed before the firewall, you'll be overwhelmed with event logs. ... if you're using a monitoring solution that is aware ...
    (Focus-IDS)
  • RE: Sessions Resource Exhaustion
    ... Please read the definition of DoS Attacks. ... I believe any firewall will be a victim if we setup a test launching ... IPS can take care of many of these but an attacker can still modify ... Subject: Sessions Resource Exhaustion ...
    (Focus-IDS)
  • RE: Firewall service unavailable !!
    ... the LAT already has the local IP range only, and the packet filter is already enabled. ... for those two IPs, i blocked them and blocked the range of it using IP Packet Filter with these settings: "please correct me if i'm mistaking" ... i checked the monitoring and found the Firewall ... > sessions went back to 2. ...
    (microsoft.public.isa)
  • Re: red hat firewall question
    ... This is part of the problem with 'sekuritee people' that don't actually understand the protocols. ... It is completely normal for a TCP session to be idle, and it is also completely normal for it to wake up hours later and send data, this is simply how stuff works in the IP world, and what it appears is happening is that your ssh sessions are idle for a few minutes and due to some sekuritee 'professional' deciding that this could NEVER happen, your user sessions are being disconnected. ... Changing these values on a firewall can have some VERY undesirable and difficult to fault-find consequences. ... The primary purpose of keep alives is to enable the host to not exhaust its resources by having 65500 dead yet open telnet/ssh/tcp sessions and being able to close these after a defined period., the firewall not working in sync with the host just compounds this problem, and depending on the number of users/types of processes, can actually cause the problem that keep alives are supposed to prevent. ...
    (RedHat)