Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Understanding the firewall events generated in Deep Security

    • Updated:
    • 20 May 2016
    • Product/Version:
    • Deep Security 8.0
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • Platform:
    • Linux - Red Hat RHEL 4 32-bit
    • Linux - Red Hat RHEL 5 32-bit
    • Unix - Solaris (Sun) version 10 (SunOS 5.10)
    • Windows 2003 Enterprise
    • Windows 2008 Enterprise
    • Windows 2008 Standard
    • Windows 7 64-bit
    • Windows XP Professional
Summary
Learn the meaning of the firewall events generated by Deep Security.
Details
Public

Here are several Deep Security firewall events and their meaning:

EventDetailsRecommended Action
CE FlagsThe CWR or ECE flags were set and the stateful configuration specified that these packets should be denied.This warning appears when you enable the option in Enable Stateful Inspection > TCP > Deny TCP packets containing CWR, ECE flags. If the customer wants to remove the error, disable this option.
Dropped RetransmitThis status means the network engine detected a TCP transmission which content is different from what it sends initially. There are different types of the log in the note field: prev-full, prev-part, next-full and next-part. These are set based on the location of the changed content in the TCP stream.

The network engine checks it by comparing the packet data we queued in engine’s connection buffer to the one re-transmitted. If the changed area is located in the closest queued packet, it will be "prev-full" or "prev-part". We set it as "prev-full" if this queued packet contains all the corresponding data in the re-transmitted packet. Otherwise, it is "prev-part".

Sometimes, the change occurs not in the closest packets but following ones. We set it as “next-full” if the the-transmitted packet contains all of the corresponding data in this queued packet. Otherwise, it is “next-part"

This alert can be avoided by creating firewall bypass rules.
First Fragment Too SmallA fragmented packet was encountered and the size of the fragment is less than the size of a TCP packet (no data)."First fragment too small" is a packet which is dropped when it has the following configuration:
  • MF flag = 1
  • Offset value = 0
  • Total length (maximum combined header length) = less than 120 bytes.
Update the Minimum Fragment size in Network engine to a lower value or "0" to turn off this inspection.
Fragment Offset Too SmallThe offset(s) specified in a fragmented packet sequence is/are less than the size of a valid datagram.Update the Minimum Fragment offset in Network engine to a lower value or "0" to turn off this inspection.
Fragment Out Of BoundsThe offset(s) specified in a fragmented packet sequence is/are outside the range of the maximum size of a datagram.N/A
FragmentedA fragmented packet was encountered with deny fragmented packets disallowed enabled.N/A
Internal Driver ErrorInsufficient resources.Add more system resources to fix this issue.
Internal States ErrorInternal TCP stateful error.Internal TCP stateful error, can be disabled by TCP - unclick Enable TCP stateful inspection.
Invalid ACKA packet with an invalid acknowledgement number was encountered.Verify the Acknowledgment number of the TCP header.
Invalid Adapter ConfigurationAn invalid adapter configuration has been received.Reconfigure the adapter settings.
Invalid Data OffsetInvalid data offset parameterCheck the data offset parameter in network capture case by case.
Invalid FlagsFlag(s) set in packet is/are invalid. This could be due to a flag that does not make sense within the context of a current connection (if any), or due to a nonsensical combination of flags. (Stateful Configuration must be set to “ON” for connection context to be assessed.)This alert can be raised with multiple reasons, check case by case.
Invalid IPThe source IP of the packet is not valid.To allow such packets, customer can change Allow Null IP in Network Engine setting to Yes.
Invalid IP Datagram LengthThe length of the IP datagram is less than the length specified in the IP header.N/A
Invalid Port CommandAn invalid FTP port command was encountered in the FTP control channel data stream.Capture the traffic for detailed analysis.
Invalid SequenceA packet with an invalid sequence number or out-of-window data size was encountered.Capture the traffic for detailed analysis.
Invalid IP Header LengthAn invalid IP header length (< 5*4 = 20) is set in the IP header.N/A
IP Version UnknownAn IP packet other than IPv4 or IPv6 was encountered.Capture the traffic for detailed analysis or ignore this alert.
IPv6 Packet An IPv6 Packet was encountered, and IPv6 blocking is enabled.Change "Block IPv6 on Agents and Appliances verions 9 and later" to No to allow IPv6. For older version, IPv6 is not supported, but customer still can change to allow.
Max Incoming ConnectionsThe number of incoming connections exceeded the maximum number of connections allowed.In Firewall > Firewall Stateful Configurations, click Edit, then in TCP tab, increase the incoming connection number.
Max Outgoing ConnectionsThe number of outgoing connections exceeded the maximum number of connections allowed.In Firewall > Firewall Stateful Configurations, click Edit, then in TCP tab, increase the incoming connection number.
Max SYN SentThe number of half open connections from a single computer exceeded that of the specified in the stateful configuration.

This event can be ignored if there is no impact to server's service. Customer can increase the threshold.

In Firewall > Firewall Stateful Configurations, click Edit,then in TCP tab, increase the half open connection number. But do not make it too large, otherwise the server will be vulnerable to DoS attack.

Maximum ACK RetransmitThis retransmitted ACK packet exceeded the ACK storm protection threshold.

It is possible that some host is attacking the server. Check the event source to verify if it is legimate. If it is legimate, customer can enlarge the threshold.

In Firewall > Firewall Stateful Configurations, click Edit, then in TCP tab, increase the number for ACK storm protection.

Out Of Allowed PolicyThe packet did not meet any of the Allow or Force Allow rules and so was implicitly denied.This alert can be ignored.
Out Of ConnectionA packet was received that was not associated with an existing connection.If the session is still established but we have already flushed it out of our state table, the reason in FW events would be Out of Connection when it drops the packet.
Overlapping FragmentThis packet fragment overlaps a previously sent fragment.N/A
Packet on Closed ConnectionA packet belonging to a connection that was already closed was received.It means still receiving packet although the connection was closed. It can be set in ignored status.
Same Source and Destination IPSource and destination IPs were identical.“Same Source and Destination IP” means the packet has the same source and destination IP address. It cannot be fixed by bypass rules.
SYN Cookie ErrorThe SYN cookies protection mechanism encountered an error.This alert can be ignored.
Unknown IP VersionUnrecognized IP versionThis alert cannot be fixed by bypass rules, while the IP version cannot be identified.
Unreadable Ethernet HeaderData contained in this Ethernet frame is smaller than the Ethernet header.This alert can be ignored.
Unreadable IPv4 HeaderThe packet contains an unreadable IPv4 header.Customer should first ensure that the network using readable IPV4 traffic.
Unreadable Protocol HeaderThe packet contains an unreadable TCP, UDP or ICMP header.Capture the traffic for analysis or ignore this error.
Unsolicited ICMPICMP stateful has been enabled (in stateful configuration) and an unsolicited packet that does not match any Force Allow rules was received.To disable this alert, you need to adjust the stateful configuation: ICMP > Click Enable stateful ICMP inspection.
Unsolicited UDPIncoming UDP packets that were not solicited by the computer are rejected.To disable this alert, you need to adjust the stateful configuation: UDP > Click Enable stateful UDP inspection.
Null IPA NULL (0.0.0.0) IP is not allowed by the present firewall configuration.N/A
Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1060429
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.