About Default Packet Handling Options

When your Firebox receives a packet, it examines the source and destination for the packet. It looks at the IP address and the port number. The device also monitors the packets to look for patterns that can show your network is at risk. This process is called default packet handling.

Default packet handling can:

  • Reject a packet that could be a security risk, including packets that could be part of a spoofing attack or SYN flood attack
  • Automatically block all traffic to and from an IP address
  • Add an event to the log file
  • Send an SNMP trap to the SNMP management server
  • Send a notification of possible security risks

The default packet handling options related to IPSec, IKE, ICMP, SYN, and UDP flood attacks apply to both IPv4 and IPv6 traffic. All other options apply only to IPv4 traffic.

For information about the types of attacks the Firebox can take action against, go to:

For a Firebox configured in Drop-In or Bridge mode, you can use the default-packet-handling CLI command to enable the Firebox to drop ARP spoofing attacks. This option is configurable only in the CLI and is supported in Fireware v12.2 and higher. For more information, see the Command Line Interface Reference, available on the Product Documentation page.

Configure Default Packet Handling

Most default packet handling options are enabled in the default Firebox configuration. You can change the thresholds at which the Firebox takes action. You can also change the options selected for default packet handling.

To configure default packet handling, from Fireware Web UI:

  1. Select Firewall > Default Packet Handling.
    The Default Packet Handling page opens.

Screen shot of the Default Packet Handling page

  1. Select the check boxes for the traffic patterns you want to take action against.

To configure default packet handling, from Policy Manager:

  1. Click the Default Packet Handling icon.
    Or, select Setup > Default Threat Protection > Default Packet Handling.
    The Default Packet Handling dialog box opens.

Screen shot of the Default Packet Handling dialog box

  1. Select the check boxes for the traffic patterns you want to take action against.

Set Logging and Notification Options

The default device configuration tells the Firebox to send a log message when an event that is specified in the Default Packet Handling dialog box occurs .

Log messages for these events are enabled by default and cannot be disabled:

  • IP and ARP Spoofing Attacks
  • Port and Address scans
  • IP Source Route
  • Ping of Death
  • IPSec, IKE, SYN, ICMP, UDP Flood Attacks
  • DDOS Attack Source and Destination

Log messages for these events are enabled by default and can be disabled if required.

  • Unhandled Internal and External Packet — An unhandled packet is a packet that does not match any policy rule. By default, the Firebox always denies unhandled packets and logs the occurrence.

Log messages for these events are disabled by default and can be enabled if required.

  • Incoming and Outgoing Broadcasts — By default, allowed incoming and outgoing broadcasts are not logged. Enable this option to send log messages for these allowed broadcasts. Broadcasts that are allowed include DHCP (if the Firebox device is configured as a DHCP server), DHCP Relay, and BOVPN broadcast/multicast routing. Denied broadcasts are always logged by default.

To configure an SNMP trap or notification:

  1. Click Logging.
    The Logging and Notification dialog box opens.
  2. Configure notification settings as described in Set Logging and Notification Preferences.

Dangerous Activity Logging and Notification Settings

In Fireware Web UI v12.8 and higher, you can specify logging and notification settings by Dangerous Activity type. To specify these settings, from Fireware Web UI: 

  1. Select Firewall > Default Packet Handling
    The Default Packet Handling page opens.

Screenshot of default packet handling page

  1. Click the Logging tab.

Screenshot of default packet handling logging

  1. Select an activity from the Select Dangerous Activity drop-down list:
    • SYN flood attack
    • UDP flood attack
    • ICMP flood attack
    • IPsec flood attack
    • IKE flood attack
    • IP source route
    • DDOS source attack
    • DDOS destination attack
    • Port scan
    • IP scan
    • IP spoofing attack
  2. Set the maximum log rate for that activity.
  3. Check the Send SNMP trap check box, if desired.
  4. Check the Send notification check box, if desired. Select the type of notification you wish to receive, the launch interval, and the repeat count.
  5. Click Save.

For more information, go to About SNMP or About Notification.

Related Topics

About Blocked Sites

About Blocked Ports