Table of Contents
Advertisement
Firewall menu options
Connection tracking
Supported Protocols
The UTM Firewall appliance supports connection tracking for the following protocols:
• FTP – File Transfer Protocol
• H.323 – Video, audio teleconferencing
• IRC – Internet Relay Chat
• PPTP – Point to Point Tunneling Protocol
• SNMP – Simple Network Management Protocol
• TFTP – Trivial File Transfer Protocol
The appliance tracks the initial connection allowed, and then looks for secondary connections that are
established. Without connection tracking for FTP, only the control channel connection is allowed through;
Active Mode data channels are dropped. Without Connection Tracking for PPTP, only the control connection
on port 1723 is allowed; the GRE traffic is dropped.
To reiterate, connection tracking applies to all services allowed through the firewall, not just to the specific
protocols listed above.
Connection logging
Connection tracking can log all connections passing through the firewall. You can enable connection logging
for the start and end of every connection. Connection logging can be useful if you have a log analyzer to
parse the log for purposes such as accounting or intrusion detection. Each log entry specifies the connection
ID, protocol, source and destination addresses and ports, protocol, number of packets, and number of
bytes. These are specified for both the original direction and the reply direction. The addresses for the
original direction are before NAT, and the addresses for the reply direction are after NAT.
Tip:
Connection logging generates a large number of entries in the system log, and should only be used if you
have enabled remote logging on the Remote Syslog page. For more information, refer to
Enabling remote system
logging.
Preventing connection flooding
Connection tracking can limit the connection rate on the Internet interface, which prevents connection
flooding.
The connection rate is measured in connections per second. A connection is considered to be new if its
source, destination, and other parameters cannot be matched to a connection already in the connection
tracking table. When connections exceed the rate limit, the UTM Firewall appliance assumes it is being
attacked and logs either "Flood" or "SynFlood" in the system log, as shown in
Figure
197.
Figure 197 Logged flood rate limiting
For security, the UTM Firewall appliance drops incoming connections that exceed the flood rate limit.
Configuring connection tracking
Use this procedure to configure connection tracking. By default, all modules are enabled for connection
tracking. Since connection tracking modules can allow additional connections through the firewall, you
should disable modules you do not need.
Implementations of protocols such as H.323 can vary, so if you are experiencing problems, try disabling the
H.323 module. Disabling H.323 might be necessary when using H.323 across links that do not perform
NAT, such as IPSec or PPTP tunnels.
McAfee UTM Firewall 4.0.4 Administration Guide
191
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
