Manny, A couple of thoughts, not necessarily in order of applicability:
1) Change the timeout values for idle connections for conn (connection slot) from 1 hr to 5-10 min and change the xlate timeout from 3 hrs to 5-10 minutes. These are idle timeouts and will probably work for most environments unless you have a lot of low traffic, long timeout connections. (uses the 'timeout' command) 2) Enable aaa authorization for at least ftp and http. Force users to authenticate before using those services. 3) Log PIX messages to a syslog server, monitor it for xlate problems with something like logsurfer. 4) Install an IDS system and monitor for failed FTP logins. Obviously, these are not mutually exclusive. HTH, Kent On Tue, 2003-03-11 at 16:04, Manny wrote: > I ran into a situation today where we had a machine that was trying to FTP > through the firewall. We allow FTP outbound. The problem that came up was > that the user had no idea that an FTP client was setup on his machine. The > FTP client (spyware) kept trying to connect to a server (ispynow.com) using > the incorrect user name and password. For every attempt an xlate entry was > created. It created about 7000 entries in a matter of minutes. The firewall > was paralyzed. I had to console in and look at the xlate table. Even through > the console I had a hard time viewing the table. Is there any way to prevent > this from happening again?This is the second time this year an incident of > this nature with the xlate table has occurred. How can I monitor the xlate > table for strange behavior? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65180&t=65095 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
