To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

PM 11 - how to supress client alerts

Jedflash
Jedflash Posts: 22 Security Scout
in Business Suite

Hi,

 

With a recent Policy manager 11 install and reconfiguration i am struggling to supress one specific message.

 

The alert that is showing up for the user is a "Firewall alert, Description: Suspiciously small datagram fragment. possibley a fragmentation attack".  This is shown with a yellow exclamation mark.

 

I have unticked every option on the policy manager for "alert sending" and "local user interface"  I have also set the alert severity to "no alerting" in the Firewall security levels. 

 

These alerts still keep poping up on the clients running 11.5 client secuirty Premium.

 

Any help would be great

 

Jed

Comments

  • Ben
    Ben Posts: 664 Cybercrime Crusader

    This type of alerts might be related to a DDoS. If they appear on a network, they might be sign of a broken or wrongly configured router.

    Please investigate the issue on a network level before applying the modification below. In practice packet with a size below 128 bytes are normally inefficient(ratio data/data+headers ).

     

    To get rid of the alert, you can change the minimum size of the fragment to 0.
    This setting is in the Policy Manager in advanced mode under Internet Shield>Settings>Firewall Engine> Minimum fragment size.

  • Chu
    Chu Posts: 46 Junior Protector

    Good morning!

     

    All configuration you already done dont stop alerts dialogs in the user interface. To stop the alerts you need turn off  Show Alerts Dialogs If No User = Disabled

    alerts.JPG

     

    PS: This configuration just stop show the alerts in the user interface. This configuration dont stop the eventually attacks!

     

    Best Regards,

     

    Roberto Chu

  • Jedflash
    Jedflash Posts: 22 Security Scout

    Thanks i will give the seond answer a try - i dont want to switch off this system, thus reporting on the sever but just the reporting to the user.

     

    Thanks

     

    jed

  • Chu
    Chu Posts: 46 Junior Protector

    For this configuration, you need create a server group and workstation group. In the server group you keep enabled the Show Alert Dialogs If No User and the Workstation group you disable the Show Alert Dialogs If No User.

    Example of Workstation configuration:

    alert3.JPG

    Serevr configuration:

    alert2.JPG

     

    Dont forget put the workstation machines inside workstation group and server machines inside servers group.

     

    Its important remember its all the alerts will keep logging in the Policy Manager in the alert tab.

     

    Best Regards,

     

    Roberto Chu

  • etomcat
    etomcat Posts: 1,172 Firewall Master

    Hello,

     

    > "Firewall alert, Description: Suspiciously small datagram fragment. possibley a fragmentation attack".

     

    This type of error message had been common in Hungary for many users of F-Secure protection, who accessed the net over GSM mobile data connections. (That time mobile net providers did other funny things, like giving end users 10.som.eth.ing IP addresses so they couldn't teamgame FPS or download P2P and overload the small bandwidth.)

     

    This was in the era many years ago, when IS/DFW personal firewall module was still included in the F-Secure home-user products, as well as the FSCS corporate product.

     

    The solution was to reduce the size of smallest allowed IP fragment from 128, maybe even zero it out to disable such filtering. This can be done in the PMC centrally or the end-point local UI, unless the secadmin decided to grey it out.

     

    Best Regards: Tamas Feher.

This discussion has been closed.

Categories