PM 11 - how to supress client alerts

Hi,

With a recent Policy manager 11 install and reconfiguration i am struggling to supress one specific message.

The alert that is showing up for the user is a "Firewall alert, Description: Suspiciously small datagram fragment. possibley a fragmentation attack". This is shown with a yellow exclamation mark.

I have unticked every option on the policy manager for "alert sending" and "local user interface" I have also set the alert severity to "no alerting" in the Firewall security levels.

These alerts still keep poping up on the clients running 11.5 client secuirty Premium.

Any help would be great

Jed

Find more posts tagged with

Comments

etomcat

Hello,

> "Firewall alert, Description: Suspiciously small datagram fragment. possibley a fragmentation attack".

This type of error message had been common in Hungary for many users of F-Secure protection, who accessed the net over GSM mobile data connections. (That time mobile net providers did other funny things, like giving end users 10.som.eth.ing IP addresses so they couldn't teamgame FPS or download P2P and overload the small bandwidth.)

This was in the era many years ago, when IS/DFW personal firewall module was still included in the F-Secure home-user products, as well as the FSCS corporate product.

The solution was to reduce the size of smallest allowed IP fragment from 128, maybe even zero it out to disable such filtering. This can be done in the PMC centrally or the end-point local UI, unless the secadmin decided to grey it out.

Best Regards: Tamas Feher.

Chu

For this configuration, you need create a server group and workstation group. In the server group you keep enabled the Show Alert Dialogs If No User and the Workstation group you disable the Show Alert Dialogs If No User.

Example of Workstation configuration:

Serevr configuration:

Dont forget put the workstation machines inside workstation group and server machines inside servers group.

Its important remember its all the alerts will keep logging in the Policy Manager in the alert tab.

Best Regards,

Roberto Chu

Jedflash

Thanks i will give the seond answer a try - i dont want to switch off this system, thus reporting on the sever but just the reporting to the user.

Thanks

jed

Chu

Good morning!

All configuration you already done dont stop alerts dialogs in the user interface. To stop the alerts you need turn off Show Alerts Dialogs If No User = Disabled

PS: This configuration just stop show the alerts in the user interface. This configuration dont stop the eventually attacks!

Best Regards,

Roberto Chu

Ben

This type of alerts might be related to a DDoS. If they appear on a network, they might be sign of a broken or wrongly configured router.

Please investigate the issue on a network level before applying the modification below. In practice packet with a size below 128 bytes are normally inefficient(ratio data/data+headers ).

To get rid of the alert, you can change the minimum size of the fragment to 0.
This setting is in the Policy Manager in advanced mode under Internet Shield>Settings>Firewall Engine> Minimum fragment size.