cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
602
Views
0
Helpful
6
Replies

Any suggested default value for firewall?

oem7110cisco
Beginner
Beginner

Referring to following link,  it provides a list of default value for firewall setting,

I would like to know how to determine any appropriated DoS parameters adjusted to your network's normal behavior, and prevent any DoS protection mechanism, causing application failures, poor network performance, and high CPU utilization on the Cisco IOS Firewall router.

Will those default value be the most acceptable levels on balancing between network's normal behavior and DoS protection?

Does anyone have any suggestions?

Thanks in advance for any suggestions

ip inspect max-incomplete high value (default 500)

ip inspect max-incomplete low value (default 400)

ip inspect one-minute high value (default 500)

ip inspect one-minute low value (default 400)

ip inspect tcp max-incomplete host value (default 50) [block-time minutes (default 0)]

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd804e5098.html

6 Replies 6

Giuseppe Larosa
Hall of Fame Master Hall of Fame Master
Hall of Fame Master

Duplicated post

Best Regards

Giuseppe

There is network connection issue when I post the first question, so I assume the first post is not successful, but it works now

Do you have any suggestions on how to delete the duplicated post?

singhaam007
Participant
Participant

Hi Oem,

Defines the number of half-open (incomplete) sessions that will cause the router to start deleting half-complete sessions (the high value) and stop deleting half-complete sessions (the low value). The

no version restores the default value

Defines the connection establishment rate at which the router starts deleting half-complete sessions (the high value) and stops deleting half-complete sessions (the low value). The no version restores the default value.

Defines the number of half-open (incomplete) sessions that will cause the router to start deleting half-complete sessions (the high value) and stop deleting half-complete sessions (the low value). The no version restores the default value

http://www.juniper.net/techpubs/software/erx/junose700/swcmdref-a-m/html/i-commands127.html

http://www.juniper.net/techpubs/software/erx/junose700/swcmdref-a-m/html/i-commands125.html

hope this helps.

please rate if this helps

thanks

Referring to following setting, what period do they refer to 400 or 500 ip inspect? one minute?

In the other words, does it mean that if firewall find any specific ip address connection more than 400 within specific time? then it will block the ip for DoS protection mechanism.

so those DoS parameters can be adjusted based on administrator's judgement on balancing between network's normal behavior and DoS protection.  For better protection, if low value (30) and high value (60) are selected, does anyone have any suggestion on Pros and Cons between this setting and default one?

Does anyone have any suggestions?

Thanks everyone very much for any suggestions

ip inspect max-incomplete high value (default 500)

ip inspect max-incomplete low value (default 400)

Hello,

Yes , 400 or 500 ip inspect refer to 1 minute which is default.

It maintains a sum of all TCP, UDP, and Internet Control Message Protocol (ICMP) connection attempts within the prior minute of the operation of the router, whether the connections have been successful or not. A rising connection rate can be indicative of a worm infection on a private network or an attempted DoS attack against a server.

Yes you can tweak around this config but Be sure that your network is not infected with viruses or worms which may generate some connections.

http://dynamips.blogspot.co.nz/2007/09/detecing-and-protecting-against-dos.html

please rate if this helps.

thanks

If general public can download data from web server, but I would like to prevent any robot doing it, does anyone have any suggestions on which one (TCP, UDP, or ICMP) I should monitor on its activities?  Furthermore, what is a good approach to detect robot's activities? Once I find it, then blocks its' IP for a specific period.

On the other hands, for setting the default values on firewall, if the default value is sum of all TCP, UDP, and Internet Control Message Protocol (ICMP) connection attempts within the prior minute of the operation of the router,  it seems to me that there is no specific setting on only for specific connection, at this moment, I don't know which connection is to be accessed for downloading data from web server, if I change the default value, then it will apply to all connection TCP, UDP and ICMP etc.

so determining the value is my concern for not affecting other connections' usage.

Does anyone have any suggestions?

Thanks everyone very much for any suggestions

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers