Solved

Juniper NS5GT Alerts - UDP flood from IP phone 50 times

Posted on 2009-04-07
2
1,480 Views
Last Modified: 2012-08-14
Let me preface by saying I'm a newbie with configuring firewalls.

We are using a Juniper NS5GT firewall and a Cisco 2801 Router with VLANs for voice (IP phones) and data. Many of our IP phones give us Alerts in the Alarms section on the Juniper firewall. It's almost always 50 times.

We have our Screening > Screen UDP Flood Protection checked and the threshold is set to 1000 (which is the default). A logfile is attached.

Any ideas or questions are welcome. Thanks in advance
-evt-log.txt
0
Comment
Question by:bmcomputer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 18

Expert Comment

by:deimark
ID: 24094660
What version of Screenos you using bud?  If you are using anything less than 5.4, I would consider upgrading here, as I have seen older versions of screenos give false positives of screen attacks.

ALso, I see that you have turned the screen functionality on for the trust zone, ie inside your network.  Normally, we would only turn on the screen protection for the external zone/interface as our internal networks "normally" do not try to DOS us.

If you do need to have the screen function turned on for internal networks, we need to find out why the phones are causing these alerts, ie are the phones just spamming your net and all it needs is turned off, or are these real false positives being detected by the Juniper.

So I would:

1.  Upgrade screenos to 5.4 (if not already)
2.  Find out why the phones are so noisy - is it real traffic or just random chatter?

If the phones are working correctly you need to consider if you actually need the screen protection on inside zones.  If phones are just noisy, speak to vendor to try and get them quietened down a bit.

Either way, I would say that the vendor of the phones should have experience of other customers that have had your issue, so have a look at your phone vendors support site/KB to see if this is a common prob.
0
 

Accepted Solution

by:
bmcomputer earned 0 total points
ID: 24172940
It turned out that the upstream changed their router IP address which caused our problem. Once he fixed the route in our Cisco router the errors stopped and everything is working fine now. Our situation is complicated, as we have a T1 and a DSL. Thanks for the advice on our firewall settings. We are using 5.2, so we'll upgrade to 5.4.
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question