Table of Contents
Advertisement
Figure 10-2 - select the Generate alert when attack detected checkbox) or when
a rule is matched in the Edit Rule screen (see Figure 11-4)
generates an alert, a message can be immediately sent to an e-mail account that
you specify in the Log Settings screen (see the chapter on logs).
10.3.2
Threshold Values
Tune these parameters when something is not working and after you have checked
the firewall counters. These default values should work fine for most small offices.
Factors influencing choices for threshold values are:
1. The maximum number of opened sessions.
2. The minimum capacity of server backlog in your LAN network.
3. The CPU power of servers in your LAN network.
4. Network bandwidth.
5. Type of traffic for certain servers.
If your network is slower than average for any of these factors (especially if you
have servers that are slow or handle many tasks and are often busy), then the
default values should be reduced.
You should make any changes to the threshold values before you continue
configuring firewall rules.
10.3.3
Half-Open Sessions
An unusually high number of half-open sessions (either an absolute number or
measured as the arrival rate) could indicate that a Denial of Service attack is
occurring. For TCP, "half-open" means that the session has not reached the
established state-the TCP three-way handshake has not yet been completed (see
Figure 9-2). For UDP, "half-open" means that the firewall has detected no return
traffic.
The Contivity 251 measures both the total number of existing half-open sessions
and the rate of session establishment attempts. Both TCP and UDP half-open
sessions are counted in the total number and rate measurements. Measurements are
made once a minute.
Firewall Configuration 10-3
When an event
.
Contivity 251 VPN Switch User's Guide
Advertisement
Table of Contents
