Solved

Juniper NS5GT Alerts - UDP flood from IP phone 50 times

Posted on 2009-04-07
2
1,471 Views
Last Modified: 2012-08-14
Let me preface by saying I'm a newbie with configuring firewalls.

We are using a Juniper NS5GT firewall and a Cisco 2801 Router with VLANs for voice (IP phones) and data. Many of our IP phones give us Alerts in the Alarms section on the Juniper firewall. It's almost always 50 times.

We have our Screening > Screen UDP Flood Protection checked and the threshold is set to 1000 (which is the default). A logfile is attached.

Any ideas or questions are welcome. Thanks in advance
-evt-log.txt
0
Comment
Question by:bmcomputer
2 Comments
 
LVL 18

Expert Comment

by:deimark
ID: 24094660
What version of Screenos you using bud?  If you are using anything less than 5.4, I would consider upgrading here, as I have seen older versions of screenos give false positives of screen attacks.

ALso, I see that you have turned the screen functionality on for the trust zone, ie inside your network.  Normally, we would only turn on the screen protection for the external zone/interface as our internal networks "normally" do not try to DOS us.

If you do need to have the screen function turned on for internal networks, we need to find out why the phones are causing these alerts, ie are the phones just spamming your net and all it needs is turned off, or are these real false positives being detected by the Juniper.

So I would:

1.  Upgrade screenos to 5.4 (if not already)
2.  Find out why the phones are so noisy - is it real traffic or just random chatter?

If the phones are working correctly you need to consider if you actually need the screen protection on inside zones.  If phones are just noisy, speak to vendor to try and get them quietened down a bit.

Either way, I would say that the vendor of the phones should have experience of other customers that have had your issue, so have a look at your phone vendors support site/KB to see if this is a common prob.
0
 

Accepted Solution

by:
bmcomputer earned 0 total points
ID: 24172940
It turned out that the upstream changed their router IP address which caused our problem. Once he fixed the route in our Cisco router the errors stopped and everything is working fine now. Our situation is complicated, as we have a T1 and a DSL. Thanks for the advice on our firewall settings. We are using 5.2, so we'll upgrade to 5.4.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question