Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
747
Views
0
Helpful
6
Replies

Any suggested default value for firewall?

oem7110cisco
Level 1
Level 1

‎09-23-2012 06:20 AM - edited ‎03-07-2019 09:02 AM

Referring to following link,  it provides a list of default value for firewall setting,

I would like to know how to determine any appropriated DoS parameters adjusted to your network's normal behavior, and prevent any DoS protection mechanism, causing application failures, poor network performance, and high CPU utilization on the Cisco IOS Firewall router.

Will those default value be the most acceptable levels on balancing between network's normal behavior and DoS protection?

Does anyone have any suggestions?

Thanks in advance for any suggestions

ip inspect max-incomplete high value (default 500)

ip inspect max-incomplete low value (default 400)

ip inspect one-minute high value (default 500)

ip inspect one-minute low value (default 400)

ip inspect tcp max-incomplete host value (default 50) [block-time minutes (default 0)]

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd804e5098.html

Labels:
0 Helpful
6 Replies 6

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎09-23-2012 08:56 AM

Duplicated post

Best Regards

Giuseppe

0 Helpful

oem7110cisco
Level 1
Level 1
In response to Giuseppe Larosa

‎09-23-2012 04:40 PM

There is network connection issue when I post the first question, so I assume the first post is not successful, but it works now

Do you have any suggestions on how to delete the duplicated post?

0 Helpful

singhaam007
Level 3
Level 3

‎09-23-2012 02:53 PM

Hi Oem,

Defines the number of half-open (incomplete) sessions that will cause the router to start deleting half-complete sessions (the high value) and stop deleting half-complete sessions (the low value). The

no version restores the default value

Defines the connection establishment rate at which the router starts deleting half-complete sessions (the high value) and stops deleting half-complete sessions (the low value). The no version restores the default value.

Defines the number of half-open (incomplete) sessions that will cause the router to start deleting half-complete sessions (the high value) and stop deleting half-complete sessions (the low value). The no version restores the default value

http://www.juniper.net/techpubs/software/erx/junose700/swcmdref-a-m/html/i-commands127.html

http://www.juniper.net/techpubs/software/erx/junose700/swcmdref-a-m/html/i-commands125.html

hope this helps.

please rate if this helps

thanks

0 Helpful

oem7110cisco
Level 1
Level 1
In response to singhaam007

‎09-23-2012 04:39 PM

Referring to following setting, what period do they refer to 400 or 500 ip inspect? one minute?

In the other words, does it mean that if firewall find any specific ip address connection more than 400 within specific time? then it will block the ip for DoS protection mechanism.

so those DoS parameters can be adjusted based on administrator's judgement on balancing between network's normal behavior and DoS protection.  For better protection, if low value (30) and high value (60) are selected, does anyone have any suggestion on Pros and Cons between this setting and default one?

Does anyone have any suggestions?

Thanks everyone very much for any suggestions

ip inspect max-incomplete high value (default 500)

ip inspect max-incomplete low value (default 400)

0 Helpful

singhaam007
Level 3
Level 3
In response to oem7110cisco

‎09-23-2012 06:02 PM

Hello,

Yes , 400 or 500 ip inspect refer to 1 minute which is default.

It maintains a sum of all TCP, UDP, and Internet Control Message Protocol (ICMP) connection attempts within the prior minute of the operation of the router, whether the connections have been successful or not. A rising connection rate can be indicative of a worm infection on a private network or an attempted DoS attack against a server.

Yes you can tweak around this config but Be sure that your network is not infected with viruses or worms which may generate some connections.

http://dynamips.blogspot.co.nz/2007/09/detecing-and-protecting-against-dos.html

please rate if this helps.

thanks

0 Helpful

oem7110cisco
Level 1
Level 1
In response to singhaam007

‎09-23-2012 07:27 PM

If general public can download data from web server, but I would like to prevent any robot doing it, does anyone have any suggestions on which one (TCP, UDP, or ICMP) I should monitor on its activities?  Furthermore, what is a good approach to detect robot's activities? Once I find it, then blocks its' IP for a specific period.

On the other hands, for setting the default values on firewall, if the default value is sum of all TCP, UDP, and Internet Control Message Protocol (ICMP) connection attempts within the prior minute of the operation of the router,  it seems to me that there is no specific setting on only for specific connection, at this moment, I don't know which connection is to be accessed for downloading data from web server, if I change the default value, then it will apply to all connection TCP, UDP and ICMP etc.

so determining the value is my concern for not affecting other connections' usage.

Does anyone have any suggestions?

Thanks everyone very much for any suggestions

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card