NetScreen drop packets

[scjlin]

I am running NetScreen NS25 firewall with v.4.0.0r4.0. However, recently I am experiencing problem with this firewall. For some reason, the firewall will went down and stop responding, and I will have to reboot the firewall to fix the problem. I setup a syslog server and SolarWinds for troubleshooting. Every time when firewall is acting up SolarWinds will shows high packet loss but response time seems ok with normal traffic. Also before firewall went down, the traffic logs in the syslog server shows mostly traffic are valid with some huge packets. Is there anyway I can narrow down the problem? Such as Attack, User abuse, virus activities, or Security hole?

Thanks,

SL

 

[Packet7]

I would check for any debugging. Have you ever used the debug utility from the CLI?

Rgds,

John

 

[scjlin]

Okay, I went ahead and upgrade my NetScreen NS25 firewall from NetScreenOS 4.0.0r6.0 to latest from NetScreen website which is 5.0.0r8.0. However the problem is getting worst. Before when the firewall still running at 4.0.0r6.0 it will stop function about once or twice a week. When it happen I will power cycle the firewall to make it back to online. However, after I apply newest OS the problem is getting worst, it will happen almost every 20-30 minutes. According to NetScreen tech support it is because virus activities that hold multiple sessions and cause firewall stop function. However, I check firewall and the session’s status seems to be normal.


Thank you,


SL

 

[Packet7]

Hey,

If you suspect an internal Virus issue, I would create a Policy that denies and logs any type of TCP/UDP on 445 and 137 from Trust to Untrust.

We had an issue a while back, and this type of trap policy helped ID the systems and prevent the Firewall's buffer from filling up.

Please keep in mind that I'm assuming you're not currently using an outbound policy and that these ports aren't needed for external traffic. Let me know how you make out.

Rgds,

John

 

[scjlin]

After 2 weeks of observation on this virus policy (TCP / UDP 445, 137). I do not see any of dramatic virus activities from the counter logs. The traffic counting graphic only shows 1 to 2MB per day, with highest peak of 2.5MB in a day. Another interest thing is I do not experiencing any of denies of server after I downgrade my NS25 firmware from 5.0.0r8.0 to 4.0.0r6.0. Unlike 5.0.0r80 version it went down like 20 – 30 minutes after it goes back online. However, I am still experiencing small packet loss (5% - 10%) in the random hour with typical of 2.5 – 3.0 ms average response time.

Thanks,

SL

 

[Packet7]

Hello,

Are you logging the deny policy and then checking the machines for Spyware and/or virusus? I wouldn't really look at the overall bandwidth, as a lot of times the virus files are simply trying to open backdoors. If your still suspecting virus patterns on your LAN, I would log that policy, find the source IP, and check the machine for the latest patches, virus definitions, and run full spyware and antivirus scans. Hope this helps.

Rgds,

John