[FW-1] Service Scans and VRRP Failover

Wed, 04 Jul 2007 00:14:47 -0700

Currently we are running two Nokia IP560's w/ 2GB Ram, IPSO 4.1 B022, w/ R61 HFA01. They are configured for VRRP using simplified mode: one VRID for all three monitored interfaces (DMZ, Public, Secure). The priority is the same on both boxes so that whichever becomes master, stays master to avoid flip-flops.
Since implementing VRRP we have noticed that every once in a while, the backup will become master. A day or two later, it will flip back. I have noticed that it happens at exactly the same time as we're getting some cracker trying to do a service scan of our publicly addressable IPs. They've done it with IMAP, and MS-SQL. The packets get "dropped", but we're talking about 8000 to 9000 attempted connections in a span of 7 seconds. The next thing you know (actually 3 seconds after the last packet from the master fw), the logs indicate that there was a failover. No connections are dropped, and it seems like the traffic would keep flowing. 

Has anyone experienced the same thing?

Our default max connections is unchanged (at 25,000). Should that be 
increased?
When the firewall was standalone, I am sure the same thing happened, but 
there was no noticeable "slowness" of traffic.
Is there a simple solution to this other than plopping an IPS in front 
of the fw's?
Smartdefense has a rule to detect this, which is not enabled because it 
doesn't do anything with the cracker, other than let us know that the 
person is actually doing the service scan.



For now, we have taken a large chunk of our publicly addressable space 
which is not at all used, and blackholed it at the internet routers.


Thanks in advance!
-Elmo

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================














    











					Reply via email to