[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1993
  • Last Modified:

Diagnosing Juniper SSG-140 Firewall

Hi all,

We have a Juniper SSG-140, which today we lost access to it, due a high utilization of the CPU.

to regain access we basically restarted all servers connceted to it.

I need some help diagnosing what could have caused that 85% utilization of the CPU.

As i am not an expert in juniper firewall, i would appreciate any help.
0
gornati
Asked:
gornati
  • 6
  • 5
1 Solution
 
gornatiAuthor Commented:
maybe this could help...

2011-05-02 10:55:39      alert      IP spoofing! From 192.168.11.125:42887 to 130.237.188.216:6667, proto UDP (zone Trust, int bgroup0/0). Occurred 991 times.

0
 
QlemoC++ DeveloperCommented:
IP Spoofing means that a packet arrived on an interface which had an invalid source IP address. That would mean your Trust interface bgroup0/0 has no 192.168.11.0/24 network defined.

The other possible cause of above is that the screening feature was overrun by the high CPU util, and that above is a false alert.

If you can't see any hint from the source or destination address or ports reported, and have nothing else in your logging, you cannot see what happened until it happens again.
But it is likely that an attack has caused the high util.
0
 
gornatiAuthor Commented:
Qlemo, could you help me out to try diagnose this?

the machine in question 11.125 is a voip server, and i am affraid to turn back this machine on during production times.
because looks like this caused the high cpu utilization and because of that a total loss of functionality on the ssg
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
QlemoC++ DeveloperCommented:
I assume you had that VoIP server running for some time, and out of the blue the SSG was blocking?
If so, I further assume it is a false alert, and you need to switch off IP Spoofing screening on the bgroup interface.
0
 
gornatiAuthor Commented:
well, i dont know, the ip it tried and port is a well known irc address...
how would you start diagnosing a high cpu utilization?
Another thing the firewall was up for 2 years, with no restart...
0
 
QlemoC++ DeveloperCommented:
No ScreenOS update? Ooomph. There are several issues with older firmware, and false Screening results are one of them. High CPU util out of the blue is another one.

IRC for VoIP??? IRC is sometimes used for robot networks, you know ...
0
 
gornatiAuthor Commented:
we are running 6.2 R8.
0
 
QlemoC++ DeveloperCommented:
That should be fine, but 6.2 R8 came 09 Nov 2010 - not exactly two years ago ;-).
0
 
gornatiAuthor Commented:
i know, but in the end... how do i try, or how do i start to diagnose this cpu utilization?
0
 
QlemoC++ DeveloperCommented:
There is no way I know of. First you need to make sure it happens again. Then you need to ask Juniper Support, as this will involve deep-dive debugging only the techies can have a clue about.
0
 
gornatiAuthor Commented:
looks like there is no way to find out.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now