cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

418
Views
0
Helpful
6
Replies
Highlighted
Beginner

Any suggested default value for firewall?

Referring to following link,  it provides a list of default value for firewall setting,

I would like to know how to determine any appropriated DoS parameters adjusted to your network's normal behavior, and prevent any DoS protection mechanism, causing application failures, poor network performance, and high CPU utilization on the Cisco IOS Firewall router.

Will those default value be the most acceptable levels on balancing between network's normal behavior and DoS protection?

Does anyone have any suggestions?

Thanks in advance for any suggestions

ip inspect max-incomplete high value (default 500)

ip inspect max-incomplete low value (default 400)

ip inspect one-minute high value (default 500)

ip inspect one-minute low value (default 400)

ip inspect tcp max-incomplete host value (default 50) [block-time minutes (default 0)]

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd804e5098.html

Everyone's tags (3)
6 REPLIES 6
Hall of Fame Expert

Any suggested default value for firewall?

Duplicated post

Best Regards

Giuseppe

Beginner

Any suggested default value for firewall?

There is network connection issue when I post the first question, so I assume the first post is not successful, but it works now

Do you have any suggestions on how to delete the duplicated post?

Participant

Any suggested default value for firewall?

Hi Oem,

Defines the number of half-open (incomplete) sessions that will cause the router to start deleting half-complete sessions (the high value) and stop deleting half-complete sessions (the low value). The

no version restores the default value

Defines the connection establishment rate at which the router starts deleting half-complete sessions (the high value) and stops deleting half-complete sessions (the low value). The no version restores the default value.

Defines the number of half-open (incomplete) sessions that will cause the router to start deleting half-complete sessions (the high value) and stop deleting half-complete sessions (the low value). The no version restores the default value

http://www.juniper.net/techpubs/software/erx/junose700/swcmdref-a-m/html/i-commands127.html

http://www.juniper.net/techpubs/software/erx/junose700/swcmdref-a-m/html/i-commands125.html

hope this helps.

please rate if this helps

thanks

Beginner

Any suggested default value for firewall?

Referring to following setting, what period do they refer to 400 or 500 ip inspect? one minute?

In the other words, does it mean that if firewall find any specific ip address connection more than 400 within specific time? then it will block the ip for DoS protection mechanism.

so those DoS parameters can be adjusted based on administrator's judgement on balancing between network's normal behavior and DoS protection.  For better protection, if low value (30) and high value (60) are selected, does anyone have any suggestion on Pros and Cons between this setting and default one?

Does anyone have any suggestions?

Thanks everyone very much for any suggestions

ip inspect max-incomplete high value (default 500)

ip inspect max-incomplete low value (default 400)

Participant

Any suggested default value for firewall?

Hello,

Yes , 400 or 500 ip inspect refer to 1 minute which is default.

It maintains a sum of all TCP, UDP, and Internet Control Message Protocol (ICMP) connection attempts within the prior minute of the operation of the router, whether the connections have been successful or not. A rising connection rate can be indicative of a worm infection on a private network or an attempted DoS attack against a server.

Yes you can tweak around this config but Be sure that your network is not infected with viruses or worms which may generate some connections.

http://dynamips.blogspot.co.nz/2007/09/detecing-and-protecting-against-dos.html

please rate if this helps.

thanks

Beginner

Any suggested default value for firewall?

If general public can download data from web server, but I would like to prevent any robot doing it, does anyone have any suggestions on which one (TCP, UDP, or ICMP) I should monitor on its activities?  Furthermore, what is a good approach to detect robot's activities? Once I find it, then blocks its' IP for a specific period.

On the other hands, for setting the default values on firewall, if the default value is sum of all TCP, UDP, and Internet Control Message Protocol (ICMP) connection attempts within the prior minute of the operation of the router,  it seems to me that there is no specific setting on only for specific connection, at this moment, I don't know which connection is to be accessed for downloading data from web server, if I change the default value, then it will apply to all connection TCP, UDP and ICMP etc.

so determining the value is my concern for not affecting other connections' usage.

Does anyone have any suggestions?

Thanks everyone very much for any suggestions

CreatePlease to create content
Content for Community-Ad