Do not TRUST the juniper for Firewall

Our all Network is designed with Juniper devices and we are very sorry for this.
Juniper SRX3600 getting down with only 5Mbps !!!!

We have tryed a tcpsyn named attack DDOS software and it give a result as this at the end of the attack with spoof ip addresses with 10mbps half duplex line :

 -- statistics -----------------------
   packets sent:          2530934
   bytes sent:            151856040
   seconds active:        135
   average bytes/second:  1124859
 -------------------------------------

Open in new window


And juniper could not detect the ip addresses are spoof and protocol is unknown this is the tcpdump result of the machine attacked :

tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:26:47.661527 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:26:47.661539 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:26:47.661551 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:26:47.661562 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:26:47.661573 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:26:47.662455 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:26:47.662471 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:26:47.662483 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:26:47.662495 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:26:47.662506 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:26:47.662518 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:26:47.662530 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:26:47.662541 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:26:47.662552 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:26:59.476437 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:26:59.709415 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:26:59.709434 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:26:59.767463 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:26:59.767505 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:26:59.767518 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:26:59.767530 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:26:59.899438 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:27:00.008461 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:27:00.008478 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:27:00.008489 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:27:00.008501 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:27:00.222468 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:27:00.222485 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:27:59.470275 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:27:59.470301 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:27:59.470321 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:27:59.470339 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:27:59.470362 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:27:59.470381 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:27:59.470400 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:27:59.470418 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:27:59.471383 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:27:59.471407 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
22:27:59.471425 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84), length 60)
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84),
22:27:59.471445 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknow
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84),
22:27:59.471462 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknow
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84),
22:27:59.471480 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknow
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84),
22:27:59.471498 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknow
        IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknown (84),
22:27:59.818282 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknow
22:28:00.043306 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknow
22:28:00.174284 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknow
22:28:00.244364 IP (tos 0x10, ttl 62, id 766, offset 0, flags [DF], proto unknow

Open in new window



beside this we have tryed to block all protocols on EX4500 which give links to SRX3600 with FIBER 10GBIT SPF+ (I do not know why we paid for 10G spf+ on srx and ex  and other modules what if it can not solve 5mbps of attack )


firewall {
    family inet {
        filter Unknown {
            term TCP-UDP {
                from {
                    protocol [ udp tcp ];
                }
                then accept;
            }
            term Engel {
                then discard;
            }
        }
    }
}

Open in new window



On our SRX device this is the IDS options and it has also IPS SRX3K LICENSE  which is expensive then 10k $


security {
    log {
        mode event;
        event-rate 1500;
    }
    alg {
        dns disable;
        ftp disable;
        msrpc disable;
        sunrpc disable;
        rsh disable;
        rtsp disable;
        sql disable;
        talk disable;
        tftp disable;
        pptp disable;
    }
    flow {
        syn-flood-protection-mode syn-cookie;
        aging {
            early-ageout 30;
            low-watermark 70;
            high-watermark 90;
        }
    }
    screen {
        ids-option internet-screen {
            icmp {
                ip-sweep threshold 5000;
                fragment;
                large;
                flood threshold 50;
                ping-death;
            }
            ip {
                bad-option;
                record-route-option;
                security-option;
                spoofing;
                source-route-option;
                loose-source-route-option;
                strict-source-route-option;
                unknown-protocol;
                block-frag;
                tear-drop;
            }
            tcp {
                syn-fin;
                fin-no-ack;
                tcp-no-flag;
                syn-frag;
                port-scan threshold 5000;
                syn-ack-ack-proxy threshold 1000;
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 1000;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000;
                    timeout 1;
                }
                land;
                winnuke;
            }
            udp {
                flood threshold 100;
            }
            limit-session {
                destination-ip-based 1000;
            }
        }
    }
    policies {
        from-zone IcNetwork to-zone DisNetwork {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone DisNetwork to-zone IcNetwork {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone DisNetwork {
            screen internet-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                xe-1/0/0.0;
            }
        }
        security-zone IcNetwork {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                xe-1/0/1.0;
            }
        }
    }
}

Open in new window





And also we tryed to block it on SRX via just dropping ip address which get attack but it does not solve the locking of the srx .



and the biggest suprise is that :


FOR THE SAME ATTACK WE TEST ON CITRIX NETSCALER 10010 WHICH SALES ON EBAY FOR 300$ AND WE BOUGHT FOR JUST TESTING GIVE PERFORMANCE NEARLY FOR 400MBPS AND 800K PPS PERFECT !!!! I SHOULD BUY AND USE 10 OF THEM WITH LOADBALANCER AND %2 OF THE PRICE


please somebody change my mind show me what if i am wrong to resolve the issue i need this so much.
FireBallITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

giltjrCommented:
Have you called/contacted Juniper support for help?
0
FireBallITAuthor Commented:
They have no normal number for turkey which can called from VOIP or Celluar system and there is no possibility to send email, and when i try to create a case ticket it does not allow me to send a ticket :
http://prntscr.com/6sk9ou
by the way i have tried with different versions of junos versions
if it is allowed by the form rules i shouold share the attack script for testing purposes. but we have vasted 70K$ i am sorry i am really angry with that
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Do you have a valid service contract with Juniper? I've tried, and Case Manager works as expected, showing the associated company name in that drop down.

Also, looking at the phone numbers, you are not required to do any tricks - just use the numbers on your standard phone. There is a toll-free number you have to dial after dialing another number. If you can't do that, you'll have to ask your phone provider.
0
FireBallITAuthor Commented:
I have created a case via phone call they have assigned and corrected the product registeration.
but the main problem is that  :

we have disable logging it has gone to 70mbps of traffic then we increase attack step by step until to 80mbps

when  ping times getting higher we checked

cpu is normal
session is normal
memory is normal
queue is normal
pps is 100k per second when it grows to 105 k starting to drop packages and pings getting higher immediately
after a few ping sth like that
100ms
400ms
900ms
1400ms
2000ms
time out

then its getting in accessible from any port

what should be the main problem i am just want to know that we have 1000 + servers and 100mbps of small packets droping down all datacenter !!
0
giltjrCommented:
The SRX3600 is chassis, what module(s) do you have?

Are you always ping'ing from the same source?  If so, could the SRX be doing that on purpose.

Also I am confused.  In your original post you talked about doing your own DDOS and that through-put was bad and now you are talking about the SRX dropping packets.  If the firewall detects a attack, shouldn't it drop the attacking packets?

Could you please provide more detail about what you are doing?  Are you testing what the SRX will do when attacked?  Or are you testing what through-put it can handle doing "normal" traffic?
0
FireBallITAuthor Commented:
I am pinging from trusted and untrusted zone results same
our hardware info :

root@srx3600.spd.net.tr> show chassis hardware
Hardware inventory:
Item             Version  Part number  Serial number     Description
Chassis                                xxxxxxxxx   SRX 3600
Midplane         REV 07   710-020310   xxxxxxxxx   SRX 3600 Midplane
PEM 0            rev 08   740-027644   xxxxxxxxx   AC Power Supply
PEM 1            rev 08   740-027644   xxxxxxxxx   AC Power Supply
CB 0             REV 14   750-021914   xxxxxxxxx   SRX3k RE-12-10
  Routing Engine          BUILTIN      xxxxxxxxx   Routing Engine
  CPP                     BUILTIN      BUILTIN           Central PFE Processor
  Mezz           REV 08   710-021035   xxxxxxxxx   SRX HD Mezzanine Card
FPC 0            REV 16   750-021882   xxxxxxxxx   SRX3k SFB 12GE
  PIC 0                   BUILTIN      BUILTIN           8x 1GE-TX 4x 1GE-SFP
FPC 1            REV 20   750-020321   xxxxxxxxx   SRX3k 2x10GE XFP
  PIC 0                   BUILTIN      BUILTIN           2x 10GE-XFP
    Xcvr 0                NON-JNPR     xxxxxxxxx   XFP-10G-SR
    Xcvr 1                NON-JNPR     xxxxxxxxx   XFP-10G-SR
FPC 4            REV 14   750-020321   xxxxxxxxx   SRX3k 2x10GE XFP
  PIC 0                   BUILTIN      BUILTIN           2x 10GE-XFP
    Xcvr 0                NON-JNPR     xxxxxxxxx   XFP-10G-SR
    Xcvr 1                NON-JNPR     xxxxxxxxx   XFP-10G-SR
FPC 10           REV 19   750-017866   xxxxxxxxx   SRX3k NPC
  PIC 0                   BUILTIN      BUILTIN           NPC PIC
FPC 12           REV 13   750-016077   xxxxxxxxx   SRX3k SPC
  PIC 0                   BUILTIN      BUILTIN           SPU Cp-Flow
Fan Tray 0       REV 06   750-021599   xxxxxxxxx   SRX 3600 Fan Tray

Open in new window



  If the firewall detects a attack, shouldn't it drop the attacking packets?  we have limited the attack to the 5 mbps but the web site we are attacking for testing was inaccessible it is dropping all packets. It does not try to reply syn calls with ack for that what if the ip real or spoofed


we are testing srx for attack purposes . And we are getting this type of attacks. Our all network locking down
I am not sure what if the problem is about the NPC or SPC because there is no problem with cpu or session count , and also this device supports upto 3-4 npc/spc . that makes 400mbps of syn attack inusable srx 3600 . Is that logical  ?
It is totally makes 100k $ or more with full chassis and it is able to protect from 300-400 mbps and 300-400k spoofed source syn ?
not logical .

Nowaday 18 yearsold kids have ability to do tcpsyn attack with 1G+ easily

And also what if activate logging it is locking all traffic after 10mbps :)
0
giltjrCommented:
So you are trying to attack and do normal access.  Are the attacks coming from the same source IP address as the "normal" access?

If the firewall detects and attack, based how you should configure the IDS/Firewall, it should drop the packets.

Have you tried to just generate "normal" traffic to see how much normal traffic you can push through without any simulated attacks?

Did you work with a pre-sales engineer?  If so, have you contacted him?  A $100K is not really that much to my companies IT budget, but even with that there is no way we would spend that much on a device without using a pre-sales engineer to verify that we got the right components and to help with the initial configuration.
0
FireBallITAuthor Commented:
So you are trying to attack and do normal access.  Are the attacks coming from the same source IP address as the "normal" access?

No they are coming spoofed. As far as we know from netscaler , if netscaler gets 100mbps of spoof traffic it creates a 100mbs outgoing traffic to check if the ip is real or not with ack answers. But SRX does not create spoof check traffic on egress way.

If the firewall detects and attack, based how you should configure the IDS/Firewall, it should drop the packets.
It only block calls dependin on destination limit

Have you tried to just generate "normal" traffic to see how much normal traffic you can push through without any simulated attacks?
It is already proccesing 1G + traffic & 2G udp protection on normal PPS without any problem it has a problem with depending on test results :

1. Small packets
2. Syn calls
3. Ack Calls
4. unknown protocols like TTP, NTP ... etc.


And also if it gets 2 G attack on UDP it is just dropping packets for session limits. Not check what if the ip real or not so streams are dropping but machine / network still accesible


depending on catalog information one npc gives 1M pps performance nearly for small packets. I am not asking for why it blocked on 900k i am asking for why it can not work after 100k PPS that is out of my mind's borders
0
giltjrCommented:
0
FireBallITAuthor Commented:
RPF check works for inbound to outbound traffic's block spoofed calls , not for incoming calls
0
giltjrCommented:
Not sure what you mean about inbound to outbound and "incoming calls".  

Unless I am miss-understanding something this verifies that the interface the packet was received on matches the interface the return traffic should be sent out on based on the route table.

So if you get a packet from 10.1.1.1 on "interface#3"  and the route table says the route to 10.1.1.1 is "interface#1" the packet is dropped.  This would also prevent asymmetrical routing.
0
FireBallITAuthor Commented:
we have a public datacenter any ip should send syn to us , RPF does not solve this. We need a solution to check Syn cookie , answer all calls with ack ...etc. sth like this. RPF is a simple way to solve spoof problems in small networks and outbound attack traffics not in  inbound attacks.
0
giltjrCommented:
O.K., so when you say you are doing spoofed IP address attacks, you are not really testing the SRX's ability to catch spoofed IP addresses.

So, can you please please stop using the term "spoofed attacks" because you really are doing this from the true sense of testing for detected spoofed attacks.

I don't think any firewall/IDS/IPS could detect a "spoofed" attack based on the way you are testing because from their point of view the inbound traffic is 100% valid.
0
FireBallITAuthor Commented:
I think you tottally misunderstand every thing :)
We already getting this attack, and we find the attack script.
Our all network is not going from the SRX firewall it is doing bgp and anounce some of subnets for ex
185.9.158.0/24
and we are testing attack script from the untrusted zone side which's traffic does not pass from the firewall.

By the way you are simplizing or do not understand the problem simply we get a TCP syn attack and given results as above.
0
FireBallITAuthor Commented:
Do you think is this a test  ?
scrscsr2

All the srx network has been blocked at the moment :) i think you totally do not understand the main problem
0
Fred MarshallPrincipalCommented:
It appears that there are concerns regarding the ability of the SRX to deal with certain attack modes.
A real attack is reported to be affecting operations - and not just a test attack.  But, this wasn't initially clear from the descriptions provided.  I get confused with phrases like "we are testing" when it sounds like the context is a real attack. ??
It appears that some consistency and standardization of terminology would help re "spoofed".  But, maybe not.

It's not clear to me if there's a support contract in force.
It's not clear to me if Juniper tech support has been actually contacted.
I've found that Juniper tech support is *very* responsive and quite helpful in all but the toughest of situations in which case they get elevated.
I don't sense (yet) that this is necessarily a tough situation from a solution point of view but, currently, from an operations point of view.

Has Juniper tech support been able to engage with you directly yet?
0
FireBallITAuthor Commented:
we have talked yesterday , monday we will buy a support contract. It was not included in the package , but main point i really do not beleive it will be able to solve that , i nearly read 1000+ web pages in this week. Juniper is just a kiddy playground. There are some operations like :
Flow License
SPC license
....etc.
Which is extend software based capabilities. But i never seen sth like that on ARBOR or Professional other units.
We are using dell they give support perfectly. Yesterday we hade cpu failure they have send new one in 24 hours !!! We have EMC storages , when we trouble into sth. they send a man in 24 hours with no charge !
I think juniper do not want to face with problems that about their products. Because they know what is true or not.


We are not using this devices for ipsec vpns vs. We are using them like in center of a war . And they do not capable as they write on the catalogs. Or if you can change my mind i will glad for this.


Now we got an other attack on same type , i have changed the routes to the Citrix netscaler 10010 you should find for 350$ on ebay :)
And it cleaned the tcp syn spoof attack with no matter :)

saaa

there is nothing very special on our config you should check , we are using very very simple config


    }
    name-server {
        195.175.39.39;
        8.8.8.8;
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface [ ge-0/0/1.0 xe-1/0/0.0 xe-1/0/1.0 ];
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        host 185.9.157.27 {
            any any;
        }
        file messages {
            any emergency;
            authorization info;
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
chassis {
    fpc 10 {
        pic 0 {
            services-offload;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.1.95/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 10.100.100.2/30;
            }
        }
    }
    xe-1/0/0 {
        description Uplink;
        unit 0 {
            family inet {
                address 37.123.100.122/29;
                address 10.1.0.2/30;
            }
        }
    }
    xe-1/0/1 {
        description "Ex4500 Downlink";
        unit 0 {
            family inet {
                address 37.123.101.225/27;
                address 178.20.231.1/24;
                address 178.20.229.225/27;
                address 178.20.229.33/27;
                address 178.20.229.65/27;
                address 37.123.96.145/28;
            }
        }
    }
    st0 {
        unit 1 {
            family inet;
        }
    }
}
snmp {
    location izmir;
    contact "Cahit Eyigunlu";
    community SALAY {
        authorization read-only;
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 37.123.100.121;
    }
}
security {
    alg {
        mgcp disable;
        msrpc disable;
        sunrpc disable;
        rsh disable;
        rtsp;
        sccp disable;
        sql disable;
        talk disable;
        tftp disable;
        pptp disable;
        ike-esp-nat {
            enable;
        }
    }
    flow {
        syn-flood-protection-mode syn-cookie;
        aging {
            early-ageout 30;
            low-watermark 70;
            high-watermark 90;
        }
    }
    screen {
        ids-option internet-screen {
            icmp {
                ip-sweep threshold 5000;
                fragment;
                large;
                flood threshold 1000;
                ping-death;
            }
            ip {
                bad-option;
                record-route-option;
                timestamp-option;
                security-option;
                stream-option;
                spoofing;
                source-route-option;
                loose-source-route-option;
                strict-source-route-option;
                unknown-protocol;
                block-frag;
                tear-drop;
            }
            tcp {
                syn-fin;
                fin-no-ack;
                tcp-no-flag;
                syn-frag;
                port-scan threshold 5000;
                syn-ack-ack-proxy threshold 1000;
                syn-flood {
                    alarm-threshold 512;
                    attack-threshold 200;
                    source-threshold 4000;
                    destination-threshold 4000;
                    queue-size 2000;
                    timeout 30;
                }
                land;
                winnuke;
            }
            udp {
                flood threshold 1000;
            }
            limit-session {
                source-ip-based 100;
                destination-ip-based 1000;
            }
        }
    }
    policies {
        from-zone IcNetwork to-zone DisNetwork {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone DisNetwork to-zone IcNetwork {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone DisNetwork {
            screen internet-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                xe-1/0/0.0;
            }
        }
        security-zone IcNetwork {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                xe-1/0/1.0;
            }
        }
    }
}

Open in new window

0
giltjrCommented:
I have to agree totally with Fred Marshall.  I am not totally confused.  From your original post:

"We have tryed a tcpsyn named attack DDOS software and it give a result as this at the end of the attack with spoof ip addresses with 10mbps half duplex line :"

This implies you were testing a tcpsyn attack to see what it would do and that you were using spoofed IP addresses.

Then "And juniper could not detect the ip addresses are spoof a .... " which implies you expected the ESX3600 to detect that the IP addresses were spoofed.

Now you seem implying that you are under a REAL attack.

I can't tell what the first screen shot is so I don't know for sure what it is telling me.  It looks like it is showing packets per second and mega bits per to/from some IP addresses.  Since I don't know what is normal, I have no clue if what you have shown is normal or not.

The second screen shot shows that some interface was avg. roughly 40MBytes/second and then spiked up to 120MBbytes/second about 2000 your time..  Which is WAY above the 5Mbits/second you posted that it was getting in your first post.  Again, as I don't your business I have no idea if this is normal.  I will say at the company I work for, we do special processing at 2000 and shortly there after our traffic spikes way up.

So could please be clear about what is going on.

If this is a real attack right now, then Juniper tech support is your best bet right now.
0
FireBallITAuthor Commented:
This is a real attack 217 Mbps per second  473K pps to 185.9.158.39  ip address.

there is no normal traffic wich creates 473K pps for 200 mbps traffic .    it should be max. 20-30K pps for 200mbps.

our test attacks was made with same script that the attackers use . and we tested with limiting the port of attack machine until to the 5mbps.  
With logging options it shouold capable to cover for 5 mbps    20 K pps
with not logging options it should capable to cover 70 mbps  100 K pps


And it just works for limit destination or source not for syn cookie or spoof check you should see we have syn cookie option but we checked syslogs it block traffic depending on destination limit not allowed real traffic :)


and the strangest thing for same attack netscaler cover the attack and keep the web page up until to the  700mbps and 800K pps and overflowed because of just memory  :)


lower versions of srx 3600 and SSG series and etc , i really want to know why juniper writes on it this is a firewall :)
do they use it to protect networks from adsl or dial up connections ? at least if you do not use it you will have no problem to lost connection of all network :)

we plan to use netscaler 10010 to protect juniper networks :)
0
Fred MarshallPrincipalCommented:
I'm glad I was able to help.
0
FireBallITAuthor Commented:
do you have any direct advice dear fred , configs as given above also if you are able to help i should send you a team viweer connection and show what is goin on.
0
giltjrCommented:
Can you issue the commands:

     show security idp status
     show security idp attack table

And post the output?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FireBallITAuthor Commented:
root@srx3600.spd.net.tr> show security idp status
State of IDP: Default,  Up since: 2015-04-12 01:46:42 UTC (1d 06:23 ago)

Packets/second: 0               Peak: 0 @ 2015-04-12 01:46:42 UTC
KBits/second  : 0               Peak: 0 @ 2015-04-12 01:46:42 UTC
Latency (microseconds): [min: 0] [max: 0] [avg: 0]

Packet Statistics:
 [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]

Flow Statistics:
  ICMP: [Current: 0] [Max: 0 @ 2015-04-12 01:46:42 UTC]
  TCP: [Current: 0] [Max: 0 @ 2015-04-12 01:46:42 UTC]
  UDP: [Current: 0] [Max: 0 @ 2015-04-12 01:46:42 UTC]
  Other: [Current: 0] [Max: 0 @ 2015-04-12 01:46:42 UTC]

Session Statistics:
 [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]

Number of SSL Sessions : 0

  Policy Name : none

Forwarding process mode : regular

root@srx3600.spd.net.tr> show security idp attack table

Open in new window

0
FireBallITAuthor Commented:
Now we are under attack again , juniper does not see the spoofed sources and directly dropping packages depending on session limit and for 50mbps of attack ping times now getting higher

76543
0
giltjrCommented:
"
Packets/second: 0               Peak: 0 @ 2015-04-12 01:46:42 UTC
KBits/second  : 0               Peak: 0 @ 2015-04-12 01:46:42 UTC"

This implies that nothing is being passed to the IDP on the Juniper.  So it appears that someplace you don't have IDP configured properly.

Ref:  http://kb.juniper.net/InfoCenter/index?page=content&id=KB25057&actp=RSS

Did you ever actually apply the security policies?  Ref for the CLI set command to apply a policy to be enforced between zones:

http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/idp-in-security-policy-enabling-cli.html
0
giltjrCommented:
Based on parts of the configuration you have posted I don't see:

"permit {application-services {idp;}"

In any of your zone to zone policies, so I think your major problem is that you have not actually told the SRX to pass traffic to IDP.

As an example where you have:

        from-zone IcNetwork to-zone DisNetwork {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }

I would expect to see the following if you wanted IDP to be enabled for traffic between those zones:

        from-zone IcNetwork to-zone DisNetwork {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                          application-services {
                              idp;
                           }
                }
            }
        }
0
FireBallITAuthor Commented:
 Policy Name : none

Forwarding process mode : regular


I realize that is strange but when i check :


root@srx3600.spd.net.tr> show system processes | match idpd
72299  ??  S      0:01.27 /usr/sbin/idpd -N
73140  ??  I      0:00.02 /usr/sbin/idpd -N

root@srx3600.spd.net.tr> show configuration | display set | match "application-services idp"
set security policies from-zone DisNetwork to-zone IcNetwork policy default-permit then permit application-services idp

Open in new window



it is working
0
FireBallITAuthor Commented:
we have redesign it after your message but still does not pass traffic to the idp


## Last changed: 2015-04-13 10:28:16 UTC
version 12.1X44-D45.2;
system {
    }
    name-server {
        195.175.39.39;
        8.8.8.8;
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface [ ge-0/0/1.0 xe-1/0/0.0 xe-1/0/1.0 ];
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        host 185.9.157.27 {
            any any;
        }
        file messages {
            any emergency;
            authorization info;
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
chassis {
    fpc 10 {
        pic 0 {
            services-offload;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.1.95/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 10.100.100.2/30;
            }
        }
    }
    xe-1/0/0 {
        description Uplink;
        unit 0 {
            family inet {
                rpf-check {
                    fail-filter rpf-filter;
                    mode loose;
                }
                address 37.123.100.122/29;
            }
        }
    }
    xe-1/0/1 {
        description "Ex4500 Downlink";
        unit 0 {
            family inet {
                address 37.123.101.225/27;
                address 178.20.231.1/24;
                address 178.20.229.225/27;
                address 178.20.229.33/27;
                address 178.20.229.65/27;
                address 37.123.96.145/28;
            }
        }
    }
    st0 {
        unit 1 {
            family inet;
        }
    }
}
snmp {
    location izmir;
    contact "Cahit Eyigunlu";
    community SALAY {
        authorization read-only;
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 37.123.100.121;
    }
    forwarding-table {
        unicast-reverse-path feasible-paths;
    }
}
security {
    idp {
        idp-policy Server-Protection {
            /* This template policy is designed to protect servers.  It is supported on devices with 2G or more of memory.  Branch devices with only 1G are not supported. */
            rulebase-ips {
                rule Web-Services-Essential {
                    /* This rule is designed to protect your servers against common internet attacks.  It includes Critical and Major severities.  This is an essential rule. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]HTTP - Critical" "[Recommended]HTTP - Major" "[Recommended]SSL - Critical" "[Recommended]SSL - Major" "[Recommended]DNS - Critical" "[Recommended]DNS - Major" "[Recommended]FTP - Critical" "[Recommended]FTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Web-Services-Supplemental {
                    /* This rule is designed to protect your servers against common internet attacks.  It includes Minor, Warning, and Info severities.  If you experience low IDP performance, you may remove the lower-severity groups from your policy for a small increase in performance, at the cost of security. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]HTTP - Minor" "[Recommended]HTTP - Warning" "[Recommended]HTTP - Info" "[Recommended]SSL - Minor" "[Recommended]SSL - Warning" "[Recommended]SSL - Info" "[Recommended]DNS - Minor" "[Recommended]DNS - Warning" "[Recommended]DNS - Info" "[Recommended]FTP - Minor" "[Recommended]FTP - Warning" "[Recommended]FTP - Info" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Mail-Services {
                    /* This rule is designed to protect your servers against common mail attacks.  If you experience low IDP performance, you may remove the lower-severity groups from your policy for a small increase in performance, at the cost of security. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IMAP - Critical" "[Recommended]IMAP - Major" "[Recommended]IMAP - Minor" "[Recommended]IMAP - Warning" "[Recommended]IMAP - Info" "[Recommended]POP3 - Critical" "[Recommended]POP3 - Major" "[Recommended]POP3 - Minor" "[Recommended]POP3 - Warning" "[Recommended]POP3 - Info" "[Recommended]SMTP - Critical" "[Recommended]SMTP - Major" "[Recommended]SMTP - Minor" "[Recommended]SMTP - Warning" "[Recommended]SMTP - Info" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Internal-Services {
                    /* This rule is designed to protect your servers against common internal attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]SMB" "[Recommended]MS-RPC" "[Recommended]LDAP" "[Recommended]NETBIOS" "[Recommended]RADIUS" "[Recommended]SSH" "[Recommended]TELNET" "[Recommended]DB" "[Recommended]VNC" "[Recommended]NFS" "[Recommended]NTP" "[Recommended]PORTMAPPER" "[Recommended]DHCP" "[Recommended]RPC" "[Recommended]SNMP" "[Recommended]SNMPTRAP" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Malicious-Activity {
                    /* This rule is designed to protect your servers against common malware attacks and other malicious activity.  This is a very important rule and should be kept enabled. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]SPYWARE" "[Recommended]TROJAN" "[Recommended]VIRUS" "[Recommended]WORM" "[Recommended]SHELLCODE" "[Recommended]SCAN" "[Recommended]DOS" "[Recommended]DDOS" "[Recommended]Misc_SPYWARE" "[Recommended]Misc_TROJAN" "[Recommended]Misc_VIRUS" "[Recommended]Misc_WORM" "[Recommended]Misc_SHELLCODE" "[Recommended]Misc_SCAN" "[Recommended]Misc_DOS" "[Recommended]Misc_DDOS" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Other-Activity {
                    /* This rule is designed to protect your servers against other common attacks.  This rule is useful if your organization is concerned about chat, P2P, and similar activity.  If not, this rule can be disabled or removed from your policy. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]VOIP" "[Recommended]CHAT" "[Recommended]P2P" "[Recommended]APP" "[Recommended]RTSP" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Transport-Services {
                    /* This rule is designed to protect your servers against common transport attacks.  Triggers against this rule could indicate an attacker is attempting to evade your IDP.  Unusual network configurations can also sometimes trigger attacks in this rule. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IP" "[Recommended]TCP" "[Recommended]UDP" "[Recommended]ICMP" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy Server-Protection-1G {
            /* This template policy is designed to protect servers.  This template is supported on all platforms, including Branch devices with 1G of memory. */
            rulebase-ips {
                rule Web-Services-Essential {
                    /* This rule is designed to protect your servers against common internet attacks.  It includes Critical and Major severities.  This is an essential rule. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]HTTP - Critical" "[Recommended]HTTP - Major" "[Recommended]SSL - Critical" "[Recommended]SSL - Major" "[Recommended]DNS - Critical" "[Recommended]DNS - Major" "[Recommended]FTP - Critical" "[Recommended]FTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Mail-Services {
                    /* This rule is designed to protect your servers against common mail attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IMAP - Critical" "[Recommended]IMAP - Major" "[Recommended]POP3 - Critical" "[Recommended]POP3 - Major" "[Recommended]SMTP - Critical" "[Recommended]SMTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Internal-Services {
                    /* This rule is designed to protect your servers against common internal attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]SMB - Critical" "[Recommended]SMB - Major" "[Recommended]MS-RPC - Critical" "[Recommended]MS-RPC - Major" "[Recommended]NETBIOS - Critical" "[Recommended]NETBIOS - Major" "[Recommended]SSH - Critical" "[Recommended]SSH - Major" "[Recommended]DB - Critical" "[Recommended]DB - Major" "[Recommended]NTP - Critical" "[Recommended]NTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Malicious-Activity {
                    /* This rule is designed to protect your servers against common malware attacks and other malicious activity.  This is a very important rule and should be kept enabled. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]SPYWARE - Critical" "[Recommended]SPYWARE - Major" "[Recommended]TROJAN - Critical" "[Recommended]TROJAN - Major" "[Recommended]VIRUS - Critical" "[Recommended]VIRUS - Major" "[Recommended]WORM - Critical" "[Recommended]WORM - Major" "[Recommended]Misc_SPYWARE - Critical" "[Recommended]Misc_SPYWARE - Major" "[Recommended]Misc_TROJAN - Critical" "[Recommended]Misc_TROJAN - Major" "[Recommended]Misc_VIRUS - Critical" "[Recommended]Misc_VIRUS - Major" "[Recommended]Misc_WORM - Critical" 
                            "[Recommended]Misc_WORM - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Transport-Services {
                    /* This rule is designed to protect your servers against common transport attacks.  Triggers against this rule could indicate an attacker is attempting to evade your IDP.  Unusual network configurations can also sometimes trigger attacks in this rule. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IP" "[Recommended]TCP" "[Recommended]UDP" "[Recommended]ICMP" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy Client-Protection {
            /* This template policy is designed to protect clients.  It is supported on devices with 2G or more of memory.  Branch devices with only 1G are not supported. */
            rulebase-ips {
                rule Web-Services-Essential {
                    /* This rule is designed to protect your clients against common internet attacks.  It includes Critical and Major severities.  This is an essential rule. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Response_HTTP - Critical" "[Recommended]Response_HTTP - Major" "[Recommended]Response_SSL - Critical" "[Recommended]Response_SSL - Major" "[Recommended]Response_DNS - Critical" "[Recommended]Response_DNS - Major" "[Recommended]Response_FTP - Critical" "[Recommended]Response_FTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Web-Services-Supplemental {
                    /* This rule is designed to protect your clients against common internet attacks.  It includes Minor, Warning, and Info severities.  If IDP performance is low, this rule can be disabled to improve performance at the cost of security.  Alternatively, you may remove the lower-severity groups from your policy for a small increase in performance, with a lower cost of security impact. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Response_HTTP - Minor" "[Recommended]Response_HTTP - Warning" "[Recommended]Response_HTTP - Info" "[Recommended]Response_SSL - Minor" "[Recommended]Response_SSL - Warning" "[Recommended]Response_SSL - Info" "[Recommended]Response_DNS - Minor" "[Recommended]Response_DNS - Warning" "[Recommended]Response_DNS - Info" "[Recommended]Response_FTP - Minor" "[Recommended]Response_FTP - Warning" "[Recommended]Response_FTP - Info" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Web-Services-Low-Performance {
                    /* This rule is designed to protect your clients against common internet attacks.  It includes performance-impacting signatures.  If IDP performance is low, this rule can be disabled to improve performance at the cost of security.  Alternatively, you may remove the lower-severity groups from your policy for a small increase in performance, with a lower cost of security impact. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Misc_HTTP - Critical" "[Recommended]Misc_HTTP - Major" "[Recommended]Misc_HTTP - Minor" "[Recommended]Misc_HTTP - Warning" "[Recommended]Misc_HTTP - Info" "[Recommended]Misc_SSL - Critical" "[Recommended]Misc_SSL - Major" "[Recommended]Misc_SSL - Minor" "[Recommended]Misc_SSL - Warning" "[Recommended]Misc_SSL - Info" "[Recommended]Misc_DNS - Critical" "[Recommended]Misc_DNS - Major" "[Recommended]Misc_DNS - Minor" "[Recommended]Misc_DNS - Warning" "[Recommended]Misc_DNS - Info" 
                            "[Recommended]Misc_FTP - Critical" "[Recommended]Misc_FTP - Major" "[Recommended]Misc_FTP - Minor" "[Recommended]Misc_FTP - Warning" "[Recommended]Misc_FTP - Info" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Mail-Services {
                    /* This rule is designed to protect your clients against common mail attacks. If you experience low IDP performance, you may remove the lower-severity groups from your policy for a small increase in performance, at the cost of security. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Response_IMAP - Critical" "[Recommended]Response_IMAP - Major" "[Recommended]Response_IMAP - Minor" "[Recommended]Response_IMAP - Warning" "[Recommended]Response_IMAP - Info" "[Recommended]Response_POP3 - Critical" "[Recommended]Response_POP3 - Major" "[Recommended]Response_POP3 - Minor" "[Recommended]Response_POP3 - Warning" "[Recommended]Response_POP3 - Info" "[Recommended]Response_SMTP - Critical" "[Recommended]Response_SMTP - Major" "[Recommended]Response_SMTP - Minor" 
                            "[Recommended]Response_SMTP - Warning" "[Recommended]Response_SMTP - Info" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Internal-Services {
                    /* This rule is designed to protect your clients against common internal attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Response_SMB" "[Recommended]Response_MS-RPC" "[Recommended]Response_LDAP" "[Recommended]Response_NETBIOS" "[Recommended]Response_RADIUS" "[Recommended]Response_SSH" "[Recommended]Response_TELNET" "[Recommended]Response_DB" "[Recommended]Response_VNC" "[Recommended]Response_NFS" "[Recommended]Response_NTP" "[Recommended]Response_PORTMAPPER" "[Recommended]Response_DHCP" "[Recommended]Response_RPC" "[Recommended]Response_SNMP" "[Recommended]Response_SNMPTRAP" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Malicious-Activity {
                    /* This rule is designed to protect your clients against common malware attacks and other malicious activity.  This is a very important rule and should be kept enabled. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Response_SPYWARE" "[Recommended]Misc_SPYWARE" "[Recommended]Response_TROJAN" "[Recommended]Misc_TROJAN" "[Recommended]Response_VIRUS" "[Recommended]Misc_VIRUS" "[Recommended]Response_WORM" "[Recommended]Misc_WORM" "[Recommended]Response_SHELLCODE" "[Recommended]Misc_SHELLCODE" "[Recommended]Response_SCAN" "[Recommended]Misc_SCAN" "[Recommended]Response_DOS" "[Recommended]Misc_DOS" "[Recommended]Response_DDOS" "[Recommended]Misc_DDOS" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Other-Activity {
                    /* This rule is designed to protect your clients against other common attacks.  This rule is useful if your organization is concerned about chat, P2P, and similar activity.  If not, this rule can be disabled or removed from your policy for a minor increase in performance. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Response_VOIP" "[Recommended]Response_CHAT" "[Recommended]Response_P2P" "[Recommended]Response_APP" "[Recommended]Response_RTSP" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Transport-Services {
                    /* This rule is designed to protect your clients against common transport attacks.  Triggers against this rule could indicate an attacker is attempting to evade your IDP.  Unusual network configurations can also sometimes trigger attacks in this rule. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Response_IP" "[Recommended]Response_TCP" "[Recommended]Response_UDP" "[Recommended]Response_ICMP" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy Client-Protection-1G {
            /* This template policy is designed to protect clients.  This template is supported on all platforms, including Branch devices with 1G of memory. */
            rulebase-ips {
                rule Web-Services-Essential {
                    /* This rule is designed to protect your clients against common internet attacks.  It includes Critical and Major severities.  This is an essential rule. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Response_HTTP - Critical" "[Recommended]Response_HTTP - Major" "[Recommended]Response_SSL - Critical" "[Recommended]Response_SSL - Major" "[Recommended]Response_DNS - Critical" "[Recommended]Response_DNS - Major" "[Recommended]Response_FTP - Critical" "[Recommended]Response_FTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Web-Services-Low-Performance {
                    /* This rule is designed to protect your clients against common internet attacks.  It includes performance-impacting signatures.  If IDP performance is low, this rule can be disabled to improve performance at the cost of security.  Alternatively, you may remove the lower-severity groups from your policy for a small increase in performance, with a lower cost of security impact. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Misc_HTTP - Critical" "[Recommended]Misc_HTTP - Major" "[Recommended]Misc_SSL - Critical" "[Recommended]Misc_SSL - Major" "[Recommended]Misc_DNS - Critical" "[Recommended]Misc_DNS - Major" "[Recommended]Misc_FTP - Critical" "[Recommended]Misc_FTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Mail-Services {
                    /* This rule is designed to protect your clients against common mail attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Response_IMAP - Critical" "[Recommended]Response_IMAP - Major" "[Recommended]Response_POP3 - Critical" "[Recommended]Response_POP3 - Major" "[Recommended]Response_SMTP - Critical" "[Recommended]Response_SMTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Internal-Services {
                    /* This rule is designed to protect your clients against common internal attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Response_SMB - Critical" "[Recommended]Response_SMB - Major" "[Recommended]Response_MS-RPC - Critical" "[Recommended]Response_MS-RPC - Major" "[Recommended]Response_NETBIOS - Critical" "[Recommended]Response_NETBIOS - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Malicious-Activity {
                    /* This rule is designed to protect your clients against common malware attacks and other malicious activity.  This is a very important rule and should be kept enabled. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Response_SPYWARE - Critical" "[Recommended]Misc_SPYWARE - Critical" "[Recommended]Response_SPYWARE - Major" "[Recommended]Misc_SPYWARE - Major" "[Recommended]Response_TROJAN - Critical" "[Recommended]Misc_TROJAN - Critical" "[Recommended]Response_TROJAN - Major" "[Recommended]Misc_TROJAN - Major" "[Recommended]Response_VIRUS - Critical" "[Recommended]Misc_VIRUS - Critical" "[Recommended]Response_VIRUS - Major" "[Recommended]Misc_VIRUS - Major" "[Recommended]Response_WORM - Critical" 
                            "[Recommended]Misc_WORM - Critical" "[Recommended]Response_WORM - Major" "[Recommended]Misc_WORM - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Transport-Services {
                    /* This rule is designed to protect your clients against common transport attacks.  Triggers against this rule could indicate an attacker is attempting to evade your IDP.  Unusual network configurations can also sometimes trigger attacks in this rule. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Response_IP" "[Recommended]Response_TCP" "[Recommended]Response_UDP" "[Recommended]Response_ICMP" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy Client-And-Server-Protection {
            /* This template policy is designed to protect both clients and servers.  It is supported on devices with 2G or more of memory.  Branch devices with only 1G are not supported. */
            rulebase-ips {
                rule Web-Services-Essential {
                    /* This rule is designed to protect your clients against common internet attacks.  It includes Critical and Major severities.  This is an essential rule. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]HTTP - Critical" "[Recommended]Response_HTTP - Critical" "[Recommended]HTTP - Major" "[Recommended]Response_HTTP - Major" "[Recommended]SSL - Critical" "[Recommended]Response_SSL - Critical" "[Recommended]SSL - Major" "[Recommended]Response_SSL - Major" "[Recommended]DNS - Critical" "[Recommended]Response_DNS - Critical" "[Recommended]DNS - Major" "[Recommended]Response_DNS - Major" "[Recommended]FTP - Critical" "[Recommended]Response_FTP - Critical" "[Recommended]FTP - Major" 
                            "[Recommended]Response_FTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Web-Services-Supplemental {
                    /* This rule is designed to protect your clients against common internet attacks.  It includes Minor, Warning, and Info severities.  If IDP performance is low, this rule can be disabled to improve performance at the cost of security.  Alternatively, you may remove the lower-severity groups from your policy for a small increase in performance, with a lower cost of security impact. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]HTTP - Minor" "[Recommended]Response_HTTP - Minor" "[Recommended]HTTP - Warning" "[Recommended]Response_HTTP - Warning" "[Recommended]HTTP - Info" "[Recommended]Response_HTTP - Info" "[Recommended]SSL - Minor" "[Recommended]Response_SSL - Minor" "[Recommended]SSL - Warning" "[Recommended]Response_SSL - Warning" "[Recommended]SSL - Info" "[Recommended]Response_SSL - Info" "[Recommended]DNS - Minor" "[Recommended]Response_DNS - Minor" "[Recommended]DNS - Warning" "[Recommended]Response_DNS - Warning" 
                            "[Recommended]DNS - Info" "[Recommended]Response_DNS - Info" "[Recommended]FTP - Minor" "[Recommended]Response_FTP - Minor" "[Recommended]FTP - Warning" "[Recommended]Response_FTP - Warning" "[Recommended]FTP - Info" "[Recommended]Response_FTP - Info" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Web-Services-Low-Performance {
                    /* This rule is designed to protect your clients against common internet attacks.  It includes performance-impacting signatures.  If IDP performance is low, this rule can be disabled to improve performance at the cost of security.  Alternatively, you may remove the lower-severity groups from your policy for a small increase in performance, with a lower cost of security impact. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Misc_HTTP - Critical" "[Recommended]Misc_HTTP - Major" "[Recommended]Misc_HTTP - Minor" "[Recommended]Misc_HTTP - Warning" "[Recommended]Misc_HTTP - Info" "[Recommended]Misc_SSL - Critical" "[Recommended]Misc_SSL - Major" "[Recommended]Misc_SSL - Minor" "[Recommended]Misc_SSL - Warning" "[Recommended]Misc_SSL - Info" "[Recommended]Misc_DNS - Critical" "[Recommended]Misc_DNS - Major" "[Recommended]Misc_DNS - Minor" "[Recommended]Misc_DNS - Warning" "[Recommended]Misc_DNS - Info" 
                            "[Recommended]Misc_FTP - Critical" "[Recommended]Misc_FTP - Major" "[Recommended]Misc_FTP - Minor" "[Recommended]Misc_FTP - Warning" "[Recommended]Misc_FTP - Info" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Mail-Services {
                    /* This rule is designed to protect your clients against common mail attacks. If you experience low IDP performance, you may remove the lower-severity groups from your policy for a small increase in performance, at the cost of security. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IMAP - Critical" "[Recommended]Response_IMAP - Critical" "[Recommended]IMAP - Major" "[Recommended]Response_IMAP - Major" "[Recommended]IMAP - Minor" "[Recommended]Response_IMAP - Minor" "[Recommended]IMAP - Warning" "[Recommended]Response_IMAP - Warning" "[Recommended]IMAP - Info" "[Recommended]Response_IMAP - Info" "[Recommended]POP3 - Critical" "[Recommended]Response_POP3 - Critical" "[Recommended]POP3 - Major" "[Recommended]Response_POP3 - Major" "[Recommended]POP3 - Minor" 
                            "[Recommended]Response_POP3 - Minor" "[Recommended]POP3 - Warning" "[Recommended]Response_POP3 - Warning" "[Recommended]POP3 - Info" "[Recommended]Response_POP3 - Info" "[Recommended]SMTP - Critical" "[Recommended]Response_SMTP - Critical" "[Recommended]SMTP - Major" "[Recommended]Response_SMTP - Major" "[Recommended]SMTP - Minor" "[Recommended]Response_SMTP - Minor" "[Recommended]SMTP - Warning" "[Recommended]Response_SMTP - Warning" "[Recommended]SMTP - Info" "[Recommended]Response_SMTP - Info" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Internal-Services {
                    /* This rule is designed to protect your clients against common internal attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]SMB" "[Recommended]Response_SMB" "[Recommended]MS-RPC" "[Recommended]Response_MS-RPC" "[Recommended]LDAP" "[Recommended]Response_LDAP" "[Recommended]NETBIOS" "[Recommended]Response_NETBIOS" "[Recommended]RADIUS" "[Recommended]Response_RADIUS" "[Recommended]SSH" "[Recommended]Response_SSH" "[Recommended]TELNET" "[Recommended]Response_TELNET" "[Recommended]DB" "[Recommended]Response_DB" "[Recommended]VNC" "[Recommended]Response_VNC" "[Recommended]NFS" "[Recommended]Response_NFS" 
                            "[Recommended]NTP" "[Recommended]Response_NTP" "[Recommended]PORTMAPPER" "[Recommended]Response_PORTMAPPER" "[Recommended]DHCP" "[Recommended]Response_DHCP" "[Recommended]RPC" "[Recommended]Response_RPC" "[Recommended]SNMP" "[Recommended]Response_SNMP" "[Recommended]SNMPTRAP" "[Recommended]Response_SNMPTRAP" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Malicious-Activity {
                    /* This rule is designed to protect your clients against common malware attacks and other malicious activity.  This is a very important rule and should be kept enabled. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]SPYWARE" "[Recommended]Response_SPYWARE" "[Recommended]Misc_SPYWARE" "[Recommended]TROJAN" "[Recommended]Response_TROJAN" "[Recommended]Misc_TROJAN" "[Recommended]VIRUS" "[Recommended]Response_VIRUS" "[Recommended]Misc_VIRUS" "[Recommended]WORM" "[Recommended]Misc_WORM" "[Recommended]Response_WORM" "[Recommended]SHELLCODE" "[Recommended]Response_SHELLCODE" "[Recommended]Misc_SHELLCODE" "[Recommended]SCAN" "[Recommended]Response_SCAN" "[Recommended]Misc_SCAN" "[Recommended]DOS" 
                            "[Recommended]Response_DOS" "[Recommended]Misc_DOS" "[Recommended]DDOS" "[Recommended]Response_DDOS" "[Recommended]Misc_DDOS" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Other-Activity {
                    /* This rule is designed to protect your clients against other common attacks.  This rule is useful if your organization is concerned about chat, P2P, and similar activity.  If not, this rule can be disabled or removed from your policy for a minor increase in performance. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]VOIP" "[Recommended]Response_VOIP" "[Recommended]CHAT" "[Recommended]Response_CHAT" "[Recommended]P2P" "[Recommended]Response_P2P" "[Recommended]APP" "[Recommended]Response_APP" "[Recommended]RTSP" "[Recommended]Response_RTSP" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                    }
                }
                rule Transport-Services {
                    /* This rule is designed to protect your clients against common transport attacks.  Triggers against this rule could indicate an attacker is attempting to evade your IDP.  Unusual network configurations can also sometimes trigger attacks in this rule. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IP" "[Recommended]Response_IP" "[Recommended]TCP" "[Recommended]Response_TCP" "[Recommended]UDP" "[Recommended]Response_UDP" "[Recommended]ICMP" "[Recommended]Response_ICMP" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy Client-And-Server-Protection-1G {
            /* This template policy is designed to protect both clients and servers.  This template is supported on all platforms, including Branch devices with 1G of memory. */
            rulebase-ips {
                rule Web-Services-Essential {
                    /* This rule is designed to protect your clients against common internet attacks.  It includes Critical and Major severities.  This is an essential rule. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]HTTP - Critical" "[Recommended]Response_HTTP - Critical" "[Recommended]HTTP - Major" "[Recommended]Response_HTTP - Major" "[Recommended]SSL - Critical" "[Recommended]Response_SSL - Critical" "[Recommended]SSL - Major" "[Recommended]Response_SSL - Major" "[Recommended]DNS - Critical" "[Recommended]Response_DNS - Critical" "[Recommended]DNS - Major" "[Recommended]Response_DNS - Major" "[Recommended]FTP - Critical" "[Recommended]Response_FTP - Critical" "[Recommended]FTP - Major" 
                            "[Recommended]Response_FTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Web-Services-Low-Performance {
                    /* This rule is designed to protect your clients against common internet attacks.  It includes performance-impacting signatures.  If IDP performance is low, this rule can be disabled to improve performance at the cost of security.  Alternatively, you may remove the lower-severity groups from your policy for a small increase in performance, with a lower cost of security impact. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Misc_HTTP - Critical" "[Recommended]Misc_HTTP - Major" "[Recommended]Misc_SSL - Critical" "[Recommended]Misc_SSL - Major" "[Recommended]Misc_DNS - Critical" "[Recommended]Misc_DNS - Major" "[Recommended]Misc_FTP - Critical" "[Recommended]Misc_FTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Mail-Services {
                    /* This rule is designed to protect your clients against common mail attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IMAP - Critical" "[Recommended]Response_IMAP - Critical" "[Recommended]IMAP - Major" "[Recommended]Response_IMAP - Major" "[Recommended]POP3 - Critical" "[Recommended]Response_POP3 - Critical" "[Recommended]POP3 - Major" "[Recommended]Response_POP3 - Major" "[Recommended]SMTP - Critical" "[Recommended]Response_SMTP - Critical" "[Recommended]SMTP - Major" "[Recommended]Response_SMTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Internal-Services {
                    /* This rule is designed to protect your clients against common internal attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]SMB - Critical" "[Recommended]Response_SMB - Critical" "[Recommended]SMB - Major" "[Recommended]Response_SMB - Major" "[Recommended]MS-RPC - Critical" "[Recommended]Response_MS-RPC - Critical" "[Recommended]MS-RPC - Major" "[Recommended]Response_MS-RPC - Major" "[Recommended]NETBIOS - Critical" "[Recommended]Response_NETBIOS - Critical" "[Recommended]NETBIOS - Major" "[Recommended]Response_NETBIOS - Major" "[Recommended]SSH - Critical" "[Recommended]Response_SSH - Critical" 
                            "[Recommended]SSH - Major" "[Recommended]Response_SSH - Major" "[Recommended]DB - Critical" "[Recommended]Response_DB - Critical" "[Recommended]DB - Major" "[Recommended]Response_DB - Major" "[Recommended]NTP - Critical" "[Recommended]Response_NTP - Critical" "[Recommended]NTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Malicious-Activity {
                    /* This rule is designed to protect your clients against common malware attacks and other malicious activity.  This is a very important rule and should be kept enabled. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]SPYWARE - Critical" "[Recommended]Response_SPYWARE - Critical" "[Recommended]Misc_SPYWARE - Critical" "[Recommended]SPYWARE - Major" "[Recommended]Response_SPYWARE - Major" "[Recommended]Misc_SPYWARE - Major" "[Recommended]TROJAN - Critical" "[Recommended]Response_TROJAN - Critical" "[Recommended]Misc_TROJAN - Critical" "[Recommended]TROJAN - Major" "[Recommended]Response_TROJAN - Major" "[Recommended]Misc_TROJAN - Major" "[Recommended]VIRUS - Critical" "[Recommended]Response_VIRUS - Critical" 
                            "[Recommended]Misc_VIRUS - Critical" "[Recommended]VIRUS - Major" "[Recommended]Response_VIRUS - Major" "[Recommended]Misc_VIRUS - Major" "[Recommended]WORM - Critical" "[Recommended]Misc_WORM - Critical" "[Recommended]Response_WORM - Critical" "[Recommended]WORM - Major" "[Recommended]Misc_WORM - Major" "[Recommended]Response_WORM - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Transport-Services {
                    /* This rule is designed to protect your clients against common transport attacks.  Triggers against this rule could indicate an attacker is attempting to evade your IDP.  Unusual network configurations can also sometimes trigger attacks in this rule. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IP" "[Recommended]Response_IP" "[Recommended]TCP" "[Recommended]Response_TCP" "[Recommended]UDP" "[Recommended]Response_UDP" "[Recommended]ICMP" "[Recommended]Response_ICMP" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy Web_Server {
            /* This template policy is designed to protect commonly used HTTP servers from remote attacks. */
            rulebase-ips {
                rule 1 {
                    /* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs. This rule is necessary to harden the IDP against evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 2 {
                    /* This rule drops all DNS  and DHCP packets that contain critical severity attacks and logs them as alarms. Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical DNS and DHCP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "DNS - Critical" "DNS - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 3 {
                    /* This rule drops critical and high severity attacks against common web and IIS services and logs them as alarms. Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical and high severity attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "FINGER - Critical" "FINGER - Major" "GOPHER - Critical" "GOPHER - Major" "FTP - Critical" "FTP - Major" "HTTP - Critical" "HTTP - Major" "SHELLCODE - Major" "SHELLCODE - Critical" "NNTP - Critical" "NNTP - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 4 {
                    /* This rule logs medium severity attacks.  Enable this rule if you are running your IDP in "in-line" mode, and wish to monitor your network for attacks and IDS evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "DNS - Minor" "FINGER - Minor" "FTP - Minor" "GOPHER - Minor" "HTTP - Minor" "NNTP - Minor" "SHELLCODE - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 5 {
                    /* This rule logs low severity attacks.  The rule is disabled by default, as some networks contain many low severity events, which results in many logs. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Warning" "Signature - Warning" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 6 {
                    /* This rule logs informational events.  This rule is disabled by default as it generates many logs.  Informational signatures are included not to necessarily detect attacks, but to provide additional understanding of your network's traffic. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Info" "Signature - Info" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy DMZ_Services {
            /* This template policy is designed to be used to protect a typical DMZ environment. */
            rulebase-ips {
                rule 1 {
                    /* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs.  This rule is necessary to harden the IDP against evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 2 {
                    /* This rule drops all DNS  and DHCP packets that contain critical severity attacks and logs them as alarms.  Enable this rule if you are running your IDP in \"in-line\" mode, and wish to protect your network against critical DNS and DHCP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "DNS - Critical" "DNS - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 3 {
                    /* This rule drops critical and high severity attacks against common DMZ services and logs them as alarms. Enable this rule if you are running your IDP in \"in-line\" mode, and wish to protect your network against critical and high severity attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "FINGER - Critical" "FINGER - Major" "GOPHER - Critical" "GOPHER - Major" "FTP - Critical" "FTP - Major" "HTTP - Critical" "HTTP - Major" "SHELLCODE - Major" "SHELLCODE - Critical" "NNTP - Critical" "NNTP - Major" "IMAP - Critical" "IMAP - Major" "POP3 - Critical" "POP3 - Major" "SMTP - Critical" "SMTP - Major" "SSH - Critical" "SSH - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 4 {
                    /* This rule logs medium severity attacks.  Enable this rule if you are running your IDP in "in-line" mode, and wish to monitor your network for attacks and IDS evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "FINGER - Minor" "FTP - Minor" "GOPHER - Minor" "HTTP - Minor" "IMAP - Minor" "NNTP - Minor" "POP3 - Minor" "SHELLCODE - Minor" "SMTP - Minor" "SSH - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 5 {
                    /* This rule logs low severity attacks.  The rule is disabled by default, as some networks contain many low severity events, which results in many logs. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Warning" "Signature - Warning" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 6 {
                    /* This rule logs informational events.  This rule is disabled by default as it generates many logs.  Informational signatures are included not to necessarily detect attacks, but to provide additional understanding of your network's traffic. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Info" "Signature - Info" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy DNS_Service {
            /* This template policy is designed to protect DNS services. Use this template as a starting point to customize your desired level of protection. */
            rulebase-ips {
                rule 1 {
                    /* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs.  This rule is necessary to harden the IDP against evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 2 {
                    /* This rule drops all DNS  and DHCP packets that contain critical severity attacks and logs them as alarms.  Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical DNS and DHCP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "DNS - Critical" "DNS - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 3 {
                    /* This rule logs medium severity DNS attacks. Enable this rule to investigate possible threats against Domain Name Services. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups "DNS - Minor";
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 4 {
                    /* This rule logs low severity attacks.  The rule is disabled by default, as some networks contain many low severity events, which results in many logs. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Warning" "Signature - Warning" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 5 {
                    /* This rule logs informational events.  This rule is disabled by default as it generates many logs.  Informational signatures are included not to necessarily detect attacks, but to provide additional understanding of your network's traffic. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Info" "Signature - Info" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy File_Server {
            /* This template policy is designed to provide protection to various file sharing services such as AMB, NFS, FTP, and others. */
            rulebase-ips {
                rule 1 {
                    /* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs.  This rule is necessary to harden the IDP against evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 2 {
                    /* This rule drops all DNS  and DHCP packets that contain critical severity attacks and logs them as alarms.  Enable this rule if you are running your IDP in \"in-line\" mode, and wish to protect your network against critical DNS and DHCP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "DNS - Critical" "DNS - Major" "DHCP - Critical" "DHCP - Major" "SHELLCODE - Critical" "SHELLCODE - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 3 {
                    /* This rule drops critical and high severity attacks against common DMZ services and logs them as alarms. Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical and high severity attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "FTP - Critical" "FTP - Major" "SSH - Critical" "SSH - Major" "NFS - Critical" "NFS - Major" "PORTMAPPER - Critical" "PORTMAPPER - Major" "RPC - Critical" "RPC - Major" "SMB - Critical" "SMB - Major" "MS-RPC - Critical" "MS-RPC - Major" "NETBIOS - Critical" "NETBIOS - Major" "TFTP - Critical" "TFTP - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 4 {
                    /* This rule logs medium severity file service attacks. Enable this rule to investigate possible threats against file sharing services. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "FTP - Minor" "SSH - Minor" "MS-RPC - Minor" "NETBIOS - Minor" "NFS - Minor" "PORTMAPPER - Minor" "RPC - Minor" "SMB - Minor" "TFTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 5 {
                    /* This rule logs low severity attacks.  The rule is disabled by default, as some networks contain many low severity events, which results in many logs. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Warning" "Signature - Warning" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 6 {
                    /* This rule logs informational events.  This rule is disabled by default as it generates many logs.  Informational signatures are included not to necessarily detect attacks, but to provide additional understanding of your network's traffic. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Info" "Signature - Info" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy Getting_Started {
            /* This template is a good starting point for learning how to create IDP policies. */
            rulebase-ips {
                rule 1 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "IP - Major" "IP - Critical" "IP - Minor" "TCP - Critical" "TCP - Major" "TCP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 2 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "ICMP - Critical" "ICMP - Major" "ICMP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 3 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "HTTP - Critical" "HTTP - Major" "HTTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 4 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "SMTP - Critical" "SMTP - Major" "SMTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 5 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "DNS - Critical" "DNS - Major" "DNS - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 6 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "FTP - Critical" "FTP - Major" "FTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 7 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "POP3 - Critical" "POP3 - Major" "POP3 - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 8 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "IMAP - Critical" "IMAP - Major" "IMAP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 9 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "TROJAN - Critical" "TROJAN - Major" "TROJAN - Minor" "VIRUS - Critical" "VIRUS - Major" "VIRUS - Minor" "WORM - Critical" "WORM - Major" "WORM - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy IDP_Default {
            /* This template policy represents a good blend od security and performance. Use this template for "in-line" mode. */
            rulebase-ips {
                rule 1 {
                    /* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs.  This rule is necessary to harden the IDP against evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 2 {
                    /* This rule drops high severity attacks and logs them as alarms. Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical attacks and IDS evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "DB - Critical" "DB - Major" "DDOS - Critical" "DDOS - Major" "DHCP - Critical" "DHCP - Major" "DNS - Critical" "DNS - Major" "DOS - Critical" "DOS - Major" "FTP - Critical" "FTP - Major" "HTTP - Critical" "HTTP - Major" "ICMP - Critical" "ICMP - Major" "IMAP - Critical" "IMAP - Major" "NETBIOS - Critical" "NETBIOS - Major" "MS-RPC - Critical" "MS-RPC - Major" "NFS - Critical" "NFS - Major" "POP3 - Critical" "POP3 - Major" "PORTMAPPER - Critical" "PORTMAPPER - Major" "RPC - Critical" 
                            "RPC - Major" "SCAN - Critical" "SCAN - Major" "SHELLCODE - Critical" "SHELLCODE - Major" "SMB - Critical" "SMB - Major" "SMTP - Critical" "SMTP - Major" "SSH - Critical" "SSH - Major" "TELNET - Critical" "TELNET - Major" "TROJAN - Critical" "TROJAN - Major" "WORM - Critical" "WORM - Major" "APP - Critical" "APP - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 3 {
                    /* This rule logs medium severity attacks.  Enable this rule if you are running your IDP in "in-line" mode, and wish to monitor your network for attacks and IDS evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "DB - Minor" "DDOS - Minor" "DHCP - Minor" "DNS - Minor" "DOS - Minor" "FTP - Minor" "HTTP - Minor" "ICMP - Minor" "IMAP - Minor" "NETBIOS - Minor" "MS-RPC - Minor" "NFS - Minor" "POP3 - Minor" "PORTMAPPER - Minor" "RPC - Minor" "SCAN - Minor" "SHELLCODE - Minor" "SMB - Minor" "SMTP - Minor" "SSH - Minor" "TELNET - Minor" "TROJAN - Minor" "WORM - Minor" "APP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 4 {
                    /* This rule logs low severity attacks.  The rule is disabled by default, as some networks contain many low severity events, which results in many logs. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Warning" "Signature - Warning" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 5 {
                    /* This rule logs informational events.  This rule is disabled by default as it generates many logs.  Informational signatures are included not to necessarily detect attacks, but to provide additional understanding of your network's traffic. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Info" "Signature - Info" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy Recommended {
            /* This legacy template policy covers most current vulnerabilities.  This template is supported on all platforms, including Branch devices with 1G of memory. */
            rulebase-ips {
                rule 1 {
                    /* This rule is designed to protect your networks against important TCP/IP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IP - Critical" "[Recommended]IP - Minor" "[Recommended]IP - Major" "[Recommended]TCP - Critical" "[Recommended]TCP - Minor" "[Recommended]TCP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 2 {
                    /* This rule is designed to protect your network against  important ICMP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]ICMP - Major" "[Recommended]ICMP - Minor" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 3 {
                    /* This rule is designed to protect your network against  important HTTP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]HTTP - Critical" "[Recommended]HTTP - Major" "[Recommended]HTTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 4 {
                    /* This rule is designed to protect your network against  important SMTP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]SMTP - Critical" "[Recommended]SMTP - Major" "[Recommended]SMTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 5 {
                    /* This rule is designed to protect your network against  important DNS attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]DNS - Critical" "[Recommended]DNS - Minor" "[Recommended]DNS - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 6 {
                    /* This rule is designed to protect your network against  important FTP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]FTP - Critical" "[Recommended]FTP - Minor" "[Recommended]FTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 7 {
                    /* This rule is designed to protect your network against important POP3 attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]POP3 - Critical" "[Recommended]POP3 - Minor" "[Recommended]POP3 - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 8 {
                    /* This rule is designed to protect your network against  important IMAP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IMAP - Critical" "[Recommended]IMAP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 9 {
                    /* This rule is designed to protect your network against common internet malware. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]TROJAN - Critical" "[Recommended]TROJAN - Major" "[Recommended]TROJAN - Minor" "[Recommended]VIRUS - Critical" "[Recommended]VIRUS - Major" "[Recommended]VIRUS - Minor" "[Recommended]WORM - Critical" "[Recommended]WORM - Major" "[Recommended]WORM - Minor" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule TCP/IP {
                    /* This rule is designed to protect your networks against important TCP/IP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IP - Critical" "[Recommended]IP - Minor" "[Recommended]IP - Major" "[Recommended]TCP - Critical" "[Recommended]TCP - Minor" "[Recommended]TCP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule ICMP {
                    /* This rule is designed to protect your network against  important ICMP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]ICMP - Major" "[Recommended]ICMP - Minor" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule HTTP {
                    /* This rule is designed to protect your network against  important HTTP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]HTTP - Critical" "[Recommended]HTTP - Major" "[Recommended]HTTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule SMTP {
                    /* This rule is designed to protect your network against  important SMTP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]SMTP - Critical" "[Recommended]SMTP - Major" "[Recommended]SMTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule DNS {
                    /* This rule is designed to protect your network against important DNS attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]DNS - Critical" "[Recommended]DNS - Minor" "[Recommended]DNS - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule FTP {
                    /* This rule is designed to protect your network against important FTP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]FTP - Critical" "[Recommended]FTP - Minor" "[Recommended]FTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule POP3 {
                    /* This rule is designed to protect your network against important POP3 attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]POP3 - Critical" "[Recommended]POP3 - Minor" "[Recommended]POP3 - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule IMAP {
                    /* This rule is designed to protect your network against important IMAP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IMAP - Critical" "[Recommended]IMAP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Malware {
                    /* This rule is designed to protect your network against common internet malware. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]TROJAN - Critical" "[Recommended]TROJAN - Major" "[Recommended]TROJAN - Minor" "[Recommended]VIRUS - Critical" "[Recommended]VIRUS - Major" "[Recommended]VIRUS - Minor" "[Recommended]WORM - Critical" "[Recommended]WORM - Major" "[Recommended]WORM - Minor" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        active-policy Recommended;
        security-package {
            url http://services.netscreen.com/cgi-bin/index.cgi;
            automatic {
                start-time "2015-4-4.21:50:00 +0000";
                interval 24;
                enable;
            }
        }
        sensor-configuration {
            log {
                cache-size 32000;
                suppression {
                    include-destination-address;
                    start-log 1;
                    max-logs-operate 32000;
                    max-time-report 30;
                }
            }
            flow {
                log-errors;
                no-allow-icmp-without-flow;
            }
            re-assembler {
                no-ignore-memory-overflow;
                no-ignore-reassembly-memory-overflow;
                ignore-reassembly-overflow;
                max-flow-mem 32000;
                max-packet-mem-ratio 20;
            }
            ips {
                no-process-override;
                detect-shellcode;
                no-process-ignore-s2c;
                ignore-regular-expression;
                log-supercede-min 32000;
            }
            global {
                enable-packet-pool;
                enable-all-qmodules;
                no-policy-lookup-cache;
                memory-limit-percent 70;
            }
        }
    }
    alg {
        mgcp disable;
        msrpc disable;
        sunrpc disable;
        rsh disable;
        rtsp;
        sccp disable;
        sql disable;
        talk disable;
        tftp disable;
        pptp disable;
        ike-esp-nat {
            enable;
        }
    }
    flow {
        syn-flood-protection-mode syn-cookie;
        aging {
            early-ageout 30;
            low-watermark 70;
            high-watermark 90;
        }
    }
    screen {
        ids-option internet-screen {
            icmp {
                ip-sweep threshold 5000;
                fragment;
                large;
                flood threshold 1000;
                ping-death;
            }
            ip {
                bad-option;
                record-route-option;
                timestamp-option;
                security-option;
                stream-option;
                spoofing;
                source-route-option;
                loose-source-route-option;
                strict-source-route-option;
                unknown-protocol;
                block-frag;
                tear-drop;
            }
            tcp {
                syn-fin;
                fin-no-ack;
                tcp-no-flag;
                syn-frag;
                port-scan threshold 5000;
                syn-ack-ack-proxy threshold 1000;
                syn-flood {
                    alarm-threshold 512;
                    attack-threshold 200;
                    source-threshold 4000;
                    destination-threshold 4000;
                    queue-size 2000;
                    timeout 30;
                }
                land;
                winnuke;
            }
            udp {
                flood threshold 1000;
            }
            limit-session {
                source-ip-based 100;
                destination-ip-based 1000;
            }
        }
    }
    policies {
        from-zone IcNetwork to-zone DisNetwork {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone DisNetwork to-zone IcNetwork {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        application-services {
                            idp;
                        }
                    }
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone DisNetwork {
            screen internet-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                xe-1/0/0.0;
            }
        }
        security-zone IcNetwork {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                xe-1/0/1.0;
            }
        }
    }
}
firewall {
    filter rpf-filter {
        term default {
            then {
                count rpf-failed-count;
                reject;
            }
        }
    }
}

Open in new window




but still the same



root@srx3600.spd.net.tr> show security idp status
State of IDP: Default,  Up since: 2015-04-12 01:46:42 UTC (1d 09:14 ago)

Packets/second: 0               Peak: 0 @ 2015-04-12 01:46:42 UTC
KBits/second  : 0               Peak: 0 @ 2015-04-12 01:46:42 UTC
Latency (microseconds): [min: 0] [max: 0] [avg: 0]

Packet Statistics:
 [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]

Flow Statistics:
  ICMP: [Current: 0] [Max: 0 @ 2015-04-12 01:46:42 UTC]
  TCP: [Current: 0] [Max: 0 @ 2015-04-12 01:46:42 UTC]
  UDP: [Current: 0] [Max: 0 @ 2015-04-12 01:46:42 UTC]
  Other: [Current: 0] [Max: 0 @ 2015-04-12 01:46:42 UTC]

Session Statistics:
 [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]

Number of SSL Sessions : 0

  Policy Name : none

Forwarding process mode : regular

Open in new window

0
FireBallITAuthor Commented:
Then i have updated problem resolved for idp , but for 50 mbps of attack still locking all SRX 3600 and idp does not detect spoofed tcp syn ddos

111098


root@srx3600.spd.net.tr> show security idp attack table
IDP attack statistics:

  Attack name                                  #Hits
  HTTP:SQL:INJ:HAVIJ-UA                        26
  HTTP:SQL:INJ:WAITFOR-DELAY                   26
  HTTP:PHP:PHPMYADMIN:SETUP-SCAN               4

root@srx3600.spd.net.tr> show security idp status
State of IDP: Default,  Up since: 2015-04-12 01:46:42 UTC (1d 09:29 ago)

Packets/second: 145             Peak: 3136 @ 2015-04-13 11:13:58 UTC
KBits/second  : 70              Peak: 1490 @ 2015-04-13 11:13:56 UTC
Latency (microseconds): [min: 0] [max: 0] [avg: 0]

Packet Statistics:
 [ICMP: 0] [TCP: 124180] [UDP: 30928] [Other: 0]

Flow Statistics:
  ICMP: [Current: 26] [Max: 48 @ 2015-04-13 11:07:05 UTC]
  TCP: [Current: 374] [Max: 896 @ 2015-04-13 11:13:56 UTC]
  UDP: [Current: 2170] [Max: 3032 @ 2015-04-13 11:12:00 UTC]
  Other: [Current: 40] [Max: 1982 @ 2015-04-13 11:10:39 UTC]

Session Statistics:
 [ICMP: 13] [TCP: 187] [UDP: 1085] [Other: 20]

Number of SSL Sessions : 0

  Policy Name : Recommended
  Running Detector Version : 12.6.140140822

Forwarding process mode : regular

Open in new window

0
giltjrCommented:
So the major issue was that the SRX3600 was not configured to actually use the IDP.  Again, this is something a pre-sales engineer would have helped with.  Making sure you have the box configured correctly for what you want to do.

As far as the "spoofed" attack I would have still have to look at this.  I need to know what you mean by spoofed.  As we discussed earlier, I don't know how the SRX is supposed to detect the address is spoofed if the return path is valid.
0
FireBallITAuthor Commented:
Real attacker ip address is 185.9.156.2 but it does not bring any pattern and juniper accept spoof calls as valid
also we decide that to block protocol with idp but see the images please


1213141516
0
giltjrCommented:
Is this is your simulated attack or a real attack?

At this point I'm inclied to say your whole problem comes down lack of knowledge on how to configure the box to do what you want.

I'm on the road and will be unavaliable for the next few hours.
0
FireBallITAuthor Commented:
At this point I'm inclied to say your whole problem comes down lack of knowledge on how to configure the box to do what you want.


maybe but our simulated attack is using same script and we are sending traffic from out of SRX network it has no difference between real one please not that firstly .

If you think you should help i should share login information with you we really need this and having big troubles at the moment. And juniper probably will register and start contract at least 5-7 days
0
David PiniellaCommented:
It's my experience w/ Juniper support that once they have the contract signed, they're usually willing to help right away even if the support contract is not finalized right away. Explain to them that you're dealing with an attack right now and need help configuring your device.

Which is extend software based capabilities. But i never seen sth like that on ARBOR or Professional other units.
We are using dell they give support perfectly. Yesterday we hade cpu failure they have send new one in 24 hours !!! We have EMC storages , when we trouble into sth. they send a man in 24 hours with no charge !
I think juniper do not want to face with problems that about their products. Because they know what is true or not.

If you don't have a support contract with Juniper, why would you expect this level of service from them? Dell and EMC will not jump through hoops without support contracts or payment in place, either. Extended software capabilities w/ different contracts/licenses is extremely common. I know Cisco does this; Fortinet used to do this; I think Palo Alto and Check Point too. I would assume other major vendors do as well.

giltjr's assessment that the problem is a lack of knowledge on how to configure your box for desired results is, imo, correct.
maybe but our simulated attack is using same script and we are sending traffic from out of SRX network it has no difference between real one please not that firstly .
this doesn't change that your SRX configuration is not set to do what you want. You figured out the attacker's methods and duplicated them, but haven't set your device to block that traffic. Your anger at Juniper is misplaced and I'm going to say is not very helpful in actually solving the problem.

In your earlier config, you had a default permit rule from Dis to Int -- why not just block the offending IP? (This may be unncessary with the idp modification that giltjr suggested, but if you must have default permit, you will probably want a block group for IPs that you ban and want to drop the traffic.
0
David PiniellaCommented:
BTW, if you're coming to Junos/Juniper with experience with other devices (and it seems you have experience with other stuff, so I'm guess yes) -- you may find the O'Reilly SRX book helpful, particularly this chapter: http://chimera.labs.oreilly.com/books/1234000001633/ch08.html
0
FireBallITAuthor Commented:
yes but i do not understand how the device get inaccessible when it gets 100K + PPS
0
David PiniellaCommented:
See http://www.cisco.com/web/about/security/intelligence/network_performance_metrics.html

You'd have to look at the logs when it's becoming inaccessible and find out what's happening. 100K pps is a poor metric; what size packets, what type of packets, what's the throughput, how many sessions? From http://www.juniper.net/us/en/local/pdf/datasheets/1000267-en.pdf the 3600 does 55Gbps throughput as a FW, 15 when doing VPN, 2.25 million concurrent sessions and 150K new sessions. Presumably your 100K pps aren't all new sessions and from your config, you're not running any VPN.
0
FireBallITAuthor Commented:
you read nearly all of my questions so please show me a way, i could share login info with you if you have a time ?
0
giltjrCommented:
We now know that the IDS is enabled and working.  I am assuming that you have downloaded the most recent attack patterns from Juniper.

I wish I could help more, but I think you are beyond what help I can provide.  Juniper support is your best bet now.

I would try and stay away from using the term spoofed attacks since it seems that you are spoofing the attack, but doing it  in a way that it appears to be coming from a valid source.

My guess, based on past experience, they will want packet captures of the real attack as logged/captured from the SRC3600, so they can see what is going on.
0
FireBallITAuthor Commented:
I think the strangest thing is srx locking down without any log when it reach to the 100k + connection per. Second while if we use screen limit for 1k
It does not create session or use cpu but it is locking the connection for all interfaces
0
FireBallITAuthor Commented:
You showed me most important points thank you
0
giltjrCommented:
I don't know what its limit might be.

Since these attacks might be considered "new connections" the SRX is limited to 150,000 new connections per second.  My guess that that is with the maximum number of NPC or SPC installed.   So at 100,000 you could be hitting some limit within the box.  A 100,000 packets a second is quite a bit.

Had you found this link: http://kb.juniper.net/InfoCenter/index?page=content&id=KB23424

Especially:  http://kb.juniper.net/InfoCenter/index?page=content&id=KB16109

Again, your best bet at this point in time is Juniper support.  If this is impacting your business drastically, you should be able to escalate this quickly.
0
FireBallITAuthor Commented:
We have blockef all unknown protocols in ex expect
Udp tcp and icmp :)
And give the job of rest to the srx because srx keeping sessions including zone rules so it is growing behind it does not has a system like citrix to check fake ip addresses
0
Fred MarshallPrincipalCommented:
it does not has a system like citrix to check fake ip addresses
I'm unclear what the reference to citrix is in this context.  Most of the Citrix app's that I know of are 3rd-party VPN applications that rely on a "server" process at the client end that communicates with a Citrix server.  That seems different than this situation.

The SRX can certainly block packets from specified IP addresses...... if that's what you mean.
For example, what's discussed here:
http://www.redelijkheid.com/blog/2013/1/9/filter-block-ip-addresses-on-a-juniper-srx
But, if you are receiving packets that appear to come from legitimate IP addresses then this wouldn't be the tool to use.
0
giltjrCommented:
The Citrix Netscaler devices are application load balancers that include some firewall capabilities.  Sounds like they configured one to use just as a Firewall.  Never used one.

Citrix did not originally develop this, they bought the company.
0
FireBallITAuthor Commented:
Citrix answer every syn with ack if it has added to the load balancer.
So spoofed ip addresses does not create sessions . if there is an input traffic 400mbps it answers with 400mbps upload. if handshake occurs then it accepts the traffic ,
that make some delay but increase the security .

Srx has session timeouts if it gets 100k pps with 100k different ip addresses then it drops in 10 seconds because it fulls the connection limits and as well as i see it does not have capability of what citrix do
0
giltjrCommented:
Because Citrix is a load balancer first  it acts different from a firewall.  L7 load balancers are really reverse proxy servers.  That is why it (and other load  balacners) can handle some attacks better than firewalls.

With a reverse proxy server there is two TCP connections for each "real" TCP connection.  There is a connection between the client and the load balancer and then between the load balancer and the backend server.  Most load balancer will not start the tcp connection between it and the backend server until there has been a successful connection between the client and the balancer.
0
Fred MarshallPrincipalCommented:
Ah!  Ok Thanks.
0
giltjrCommented:
As I posted in one or two of you other posts on this issue.

It appears as if you are running test attacks on the SRX3600.   Based on display and the last config you posted your attacking traffic his hitting a 1 Gbe interface that is NOT defined in any zones, and thus has no filtering/IDP/IDS protecting.

If you are running tests against the SRX3600 to see what it can handle, you need to make sure that the traffic hits the interface you are applying all of protection on.
0
FireBallITAuthor Commented:
We had change config numerous times :)
There was no problem with the applied interfaces problem was about single cpu and hardware drop
0
Fred MarshallPrincipalCommented:
Did you ever get in touch with Juniper JTAC?
0
FireBallITAuthor Commented:
Unofficaly yes they have suprised from ack attacks impackt on the device
But mainly showed the problem main point
Where the packets dropped and why
0
Fred MarshallPrincipalCommented:
Well, I can't say that it's easy to figure out what's going on when there's an overloading situation.
I had it on an SG-5 with email antivirus scanning turned on.
It was very hard to figure out why the incoming emails were stopping or hanging.
I spent hours and hours with JTAC at an elevated level until the truth emerged.

So, if that's the situation you have in dealing with these attacks then I can imagine that it's hard to deal with.

But you say: "unofficially"?
Is JTAC supporting you?  Has the case been elevated?
0
FireBallITAuthor Commented:
jtac assignment procedure did not end up yet. But one of the JCIE responsible has connected and checked. There is no screen option for direct ACK connections. we have tested for screens it block 3-4Mpps +
but ack connections does not create session and dropping while flow that is why it take so many times to detect the problem because packets was dropping same way while shared spc fullfill
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.