Solved

Juniper NS5GT Alerts - UDP flood from IP phone 50 times

Posted on 2009-04-07
2
1,493 Views
Last Modified: 2012-08-14
Let me preface by saying I'm a newbie with configuring firewalls.

We are using a Juniper NS5GT firewall and a Cisco 2801 Router with VLANs for voice (IP phones) and data. Many of our IP phones give us Alerts in the Alarms section on the Juniper firewall. It's almost always 50 times.

We have our Screening > Screen UDP Flood Protection checked and the threshold is set to 1000 (which is the default). A logfile is attached.

Any ideas or questions are welcome. Thanks in advance
-evt-log.txt
0
Comment
Question by:bmcomputer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 18

Expert Comment

by:deimark
ID: 24094660
What version of Screenos you using bud?  If you are using anything less than 5.4, I would consider upgrading here, as I have seen older versions of screenos give false positives of screen attacks.

ALso, I see that you have turned the screen functionality on for the trust zone, ie inside your network.  Normally, we would only turn on the screen protection for the external zone/interface as our internal networks "normally" do not try to DOS us.

If you do need to have the screen function turned on for internal networks, we need to find out why the phones are causing these alerts, ie are the phones just spamming your net and all it needs is turned off, or are these real false positives being detected by the Juniper.

So I would:

1.  Upgrade screenos to 5.4 (if not already)
2.  Find out why the phones are so noisy - is it real traffic or just random chatter?

If the phones are working correctly you need to consider if you actually need the screen protection on inside zones.  If phones are just noisy, speak to vendor to try and get them quietened down a bit.

Either way, I would say that the vendor of the phones should have experience of other customers that have had your issue, so have a look at your phone vendors support site/KB to see if this is a common prob.
0
 

Accepted Solution

by:
bmcomputer earned 0 total points
ID: 24172940
It turned out that the upstream changed their router IP address which caused our problem. Once he fixed the route in our Cisco router the errors stopped and everything is working fine now. Our situation is complicated, as we have a T1 and a DSL. Thanks for the advice on our firewall settings. We are using 5.2, so we'll upgrade to 5.4.
0

Featured Post

Are You Ransomware's Next Victim?

Worried about ransomware attacks hitting your organization?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with WatchGuard Total Security!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port 3000 forwarding to different two different IP addresses internally - Sonicwall NSA 3500 4 35
Need a "SonicWall" Replacement 12 58
Home firewall recommendations 11 107
TZ400 2 46
We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question