About Default Packet Handling Options
When your Firebox receives a packet, it examines the source and destination for the packet. It looks at the IP address and the port number. The device also monitors the packets to look for patterns that can show your network is at risk. This process is called default packet handling.
Default packet handling can:
- Reject a packet that could be a security risk, including packets that could be part of a spoofing attack or SYN flood attack
- Automatically block all traffic to and from an IP address
- Add an event to the log file
- Send an SNMP trap to the SNMP management server
- Send a notification of possible security risks
The default packet handling options related to IPSec, IKE, ICMP, SYN, and UDP flood attacks apply to both IPv4 and IPv6 traffic. All other options apply only to IPv4 traffic.
For information about the types of attacks the Firebox can take action against, go to:
- About Spoofing Attacks
- About IP Source Route Attacks
- About Port and IP Address Scans
- About Flood Attacks
- About Unhandled Packets
- About Distributed Denial-of-Service Attacks
For a Firebox configured in Drop-In or Bridge mode, you can use the default-packet-handling CLI command to enable the Firebox to drop ARP spoofing attacks. This option is configurable only in the CLI and is supported in Fireware v12.2 and higher. For more information, see the Command Line Interface Reference, available on the Product Documentation page.
Configure Default Packet Handling
Most default packet handling options are enabled in the default Firebox configuration. You can change the thresholds at which the Firebox takes action. You can also change the options selected for default packet handling.
- Select Firewall > Default Packet Handling.
The Default Packet Handling page opens.
- Select the check boxes for the traffic patterns you want to take action against.
To configure default packet handling, from Policy Manager:
- Click .
Or, select Setup > Default Threat Protection > Default Packet Handling.
The Default Packet Handling dialog box opens.
- Select the check boxes for the traffic patterns you want to take action against.
Set Logging and Notification Options
The default device configuration tells the Firebox to send a log message when an event that is specified in the Default Packet Handling dialog box occurs .
Log messages for these events are enabled by default and cannot be disabled:
- IP and ARP Spoofing Attacks
- Port and Address scans
- IP Source Route
- Ping of Death
- IPSec, IKE, SYN, ICMP, UDP Flood Attacks
- DDOS Attack Source and Destination
Log messages for these events are enabled by default and can be disabled if required.
- Unhandled Internal and External Packet — An unhandled packet is a packet that does not match any policy rule. By default, the Firebox always denies unhandled packets and logs the occurrence.
Log messages for these events are disabled by default and can be enabled if required.
- Incoming and Outgoing Broadcasts — By default, allowed incoming and outgoing broadcasts are not logged. Enable this option to send log messages for these allowed broadcasts. Broadcasts that are allowed include DHCP (if the Firebox device is configured as a DHCP server), DHCP Relay, and BOVPN broadcast/multicast routing. Denied broadcasts are always logged by default.
To configure an SNMP trap or notification:
- Click Logging.
The Logging and Notification dialog box opens. - Configure notification settings as described in Set Logging and Notification Preferences.
Dangerous Activity Logging and Notification Settings
In Fireware Web UI v12.8 and higher, you can specify logging and notification settings by Dangerous Activity type. To specify these settings, from Fireware Web UI:
- Select Firewall > Default Packet Handling
The Default Packet Handling page opens.
- Click the Logging tab.
- Select an activity from the Select Dangerous Activity drop-down list:
- SYN flood attack
- UDP flood attack
- ICMP flood attack
- IPsec flood attack
- IKE flood attack
- IP source route
- DDOS source attack
- DDOS destination attack
- Port scan
- IP scan
- IP spoofing attack
- Set the maximum log rate for that activity.
- Configure SNMP trap and notification settings as described in Set Logging and Notification Preferences.
- Click Save.
For more information, go to About SNMP