Views:

Here are the different firewall events and their meaning:

Event	Details	Recommended Action
CE Flags	The CWR or ECE flags were set and the stateful configuration specified that these packets should be denied.	This warning appears when you enable the option in Deep Security Enable Stateful Inspection > TCP > Deny TCP packets containing CWR, ECE flags. If the customer wants to remove the error, disable this option.
Dropped Retransmit	This status means the network engine detected a TCP transmission which content is different from what it sends initially. There are different types of the log in the note field: prev-full, prev-part, next-full and next-part. These are set based on the location of the changed content in the TCP stream. The network engine checks it by comparing the packet data we queued in engine’s connection buffer to the one re-transmitted. If the changed area is located in the closest queued packet, it will be "prev-full" or "prev-part". We set it as "prev-full" if this queued packet contains all the corresponding data in the re-transmitted packet. Otherwise, it is "prev-part". Sometimes, the change occurs not in the closest packets but following ones. We set it as “next-full” if the the-transmitted packet contains all of the corresponding data in this queued packet. Otherwise, it is “next-part"	This alert can be avoided by creating firewall bypass rules.
First Fragment Too Small	A fragmented packet was encountered and the size of the fragment is less than the size of a TCP packet (no data).	"First fragment too small" is a packet which is dropped when it has the following configuration: MF flag = 1 Offset value = 0 Total length (maximum combined header length) = less than 120 bytes. Update the Minimum Fragment size in Network engine to a lower value or "0" to turn off this inspection.
Fragment Offset Too Small	The offset(s) specified in a fragmented packet sequence is/are less than the size of a valid datagram.	Update the Minimum Fragment offset in Network engine to a lower value or "0" to turn off this inspection.
Fragment Out Of Bounds	The offset(s) specified in a fragmented packet sequence is/are outside the range of the maximum size of a datagram.	N/A
Fragmented	A fragmented packet was encountered with deny fragmented packets disallowed enabled.	N/A
Internal Driver Error	Insufficient resources.	Add more system resources to fix this issue.
Internal States Error	Internal TCP stateful error.	Internal TCP stateful error, can be disabled by TCP - unclick Enable TCP stateful inspection.
Invalid ACK	A packet with an invalid acknowledgement number was encountered.	Verify the Acknowledgment number of the TCP header.
Invalid Adapter Configuration	An invalid adapter configuration has been received.	Reconfigure the adapter settings.
Invalid Data Offset	Invalid data offset parameter	Check the data offset parameter in network capture case by case.
Invalid Flags	Flag(s) set in packet is/are invalid. This could be due to a flag that does not make sense within the context of a current connection (if any), or due to a nonsensical combination of flags. (Stateful Configuration must be set to “ON” for connection context to be assessed.)	This alert can be raised with multiple reasons, check case by case.
Invalid IP	The source IP of the packet is not valid.	To allow such packets, customer can change Allow Null IP in Network Engine setting in Deep Security to Yes.
Invalid IP Datagram Length	The length of the IP datagram is less than the length specified in the IP header.	N/A
Invalid Port Command	An invalid FTP port command was encountered in the FTP control channel data stream.	Capture the traffic for detailed analysis.
Invalid Sequence	A packet with an invalid sequence number or out-of-window data size was encountered.	Capture the traffic for detailed analysis.
Invalid IP Header Length	An invalid IP header length (< 5*4 = 20) is set in the IP header.	N/A
IP Version Unknown	An IP packet other than IPv4 or IPv6 was encountered.	Capture the traffic for detailed analysis or ignore this alert.
IPv6 Packet	An IPv6 Packet was encountered, and IPv6 blocking is enabled.	Change "Block IPv6 on Agents and Appliances versions 9 and later" in Deep Security to No to allow IPv6. For older version, IPv6 is not supported, but customer still can change to allow.
Max Incoming Connections	The number of incoming connections exceeded the maximum number of connections allowed.	In Deep Security Firewall > Firewall Stateful Configurations, click Edit, then in TCP tab, increase the incoming connection number.
Max Outgoing Connections	The number of outgoing connections exceeded the maximum number of connections allowed.	In Deep Security Firewall > Firewall Stateful Configurations, click Edit, then in TCP tab, increase the incoming connection number.
Max SYN Sent	The number of half open connections from a single computer exceeded that of the specified in the stateful configuration.	This event can be ignored if there is no impact to server's service. Customer can increase the threshold. In Deep Security Firewall > Firewall Stateful Configurations, click Edit, then in TCP tab, increase the incoming connection number. But do not make it too large, otherwise the server will be vulnerable to DoS attack.
Maximum ACK Retransmit	This retransmitted ACK packet exceeded the ACK storm protection threshold.	It is possible that some host is attacking the server. Check the event source to verify if it is legimate. If it is legimate, customer can enlarge the threshold. In Deep Security Firewall > Firewall Stateful Configurations, click Edit, then in TCP tab, increase the number for ACK storm protection.
No IP Header	The Ethernet header declares the packet as an IP, but the packet is too small to be considered. In some scenarios, the event is triggered is because the IPv4 header is null or the IPv6 header is missing from the whole packet.	If the traffic is safe, create a firewall bypass rule for such traffic. If not, let the packet be dropped as it is malicious.
Out Of Allowed Policy	The packet did not meet any of the Allow or Force Allow rules and so was implicitly denied.	If the traffic blocked is supposed to be allowed, use these events to ensure proper firewall rules are created to allow the traffic through.
Out Of Connection	A packet was received that was not associated with an existing connection.	If the session is still established but we have already flushed it out of our state table, the reason in FW events would be Out of Connection when it drops the packet.
Overlapping Fragment	This packet fragment overlaps a previously sent fragment.	N/A
Packet on Closed Connection	A packet belonging to a connection that was already closed was received.	It means still receiving packet although the connection was closed. It can be set in ignored status.
Same Source and Destination IP	Source and destination IPs were identical.	“Same Source and Destination IP” means the packet has the same source and destination IP address. It cannot be fixed by bypass rules.
SYN Cookie Error	The SYN cookies protection mechanism encountered an error.	N/A
Unknown IP Version	Unrecognized IP version	This alert cannot be fixed by bypass rules, while the IP version cannot be identified.
Unreadable Ethernet Header	Data contained in this Ethernet frame is smaller than the Ethernet header.	N/A
Unreadable IPv4 Header	The packet contains an unreadable IPv4 header.	Customer should first ensure that the network using readable IPV4 traffic.
Unreadable Protocol Header	The packet contains an unreadable TCP, UDP or ICMP header.	Capture the traffic for analysis or ignore this error.
Unsolicited ICMP	ICMP stateful has been enabled (in stateful configuration) and an unsolicited packet that does not match any Force Allow rules was received.	To disable this alert, you need to adjust the stateful configuation: ICMP > Click Enable stateful ICMP inspection in Deep Security.
Unsolicited UDP	Incoming UDP packets that were not solicited by the computer are rejected.	To disable this alert, you need to adjust the stateful configuation: UDP > Click Enable stateful UDP inspection in Deep Security.
Null IP	A NULL (0.0.0.0) IP is not allowed by the present firewall configuration.	N/A

Apex One Vulnerability Protection customers can configure the engine to ignore status codes in the event of false positives. Perform the following:

Log in to Apex Central / Apex One as a Service.
Go to Policy > Policy Management.
Select the associated policy.
Go to Vulnerability Protection Settings.
Click Network Engine Settings.
Select the detection in Ignore Status Code.
Click Deploy.

Keywords: firewall events,invalid ack,out of allowed,deep security events,fragmented packet,statefull inspection icmp

Understanding firewall events generated in Deep Security and Apex One Vulnerability Protection

Product / Version includes:

Deep Security11.1 , Deep Security11.2 , Deep Security20.0 , Deep Security11.0 , Deep Security10.2 , Deep Security10.1 , Deep Security10.0 , Deep Security12.0 , Deep SecurityAll , Deep Security10.3

Last updated: 2024/04/01

Solution ID: KA-0002750

Category: Troubleshoot

Summary

Learn the meaning of the firewall events generated by Deep Security and Apex One Vulnerability Protection.

Here are the different firewall events and their meaning:

Event	Details	Recommended Action
CE Flags	The CWR or ECE flags were set and the stateful configuration specified that these packets should be denied.	This warning appears when you enable the option in Deep Security Enable Stateful Inspection > TCP > Deny TCP packets containing CWR, ECE flags. If the customer wants to remove the error, disable this option.
Dropped Retransmit	This status means the network engine detected a TCP transmission which content is different from what it sends initially. There are different types of the log in the note field: prev-full, prev-part, next-full and next-part. These are set based on the location of the changed content in the TCP stream. The network engine checks it by comparing the packet data we queued in engine’s connection buffer to the one re-transmitted. If the changed area is located in the closest queued packet, it will be "prev-full" or "prev-part". We set it as "prev-full" if this queued packet contains all the corresponding data in the re-transmitted packet. Otherwise, it is "prev-part". Sometimes, the change occurs not in the closest packets but following ones. We set it as “next-full” if the the-transmitted packet contains all of the corresponding data in this queued packet. Otherwise, it is “next-part"	This alert can be avoided by creating firewall bypass rules.
First Fragment Too Small	A fragmented packet was encountered and the size of the fragment is less than the size of a TCP packet (no data).	"First fragment too small" is a packet which is dropped when it has the following configuration: MF flag = 1 Offset value = 0 Total length (maximum combined header length) = less than 120 bytes. Update the Minimum Fragment size in Network engine to a lower value or "0" to turn off this inspection.
Fragment Offset Too Small	The offset(s) specified in a fragmented packet sequence is/are less than the size of a valid datagram.	Update the Minimum Fragment offset in Network engine to a lower value or "0" to turn off this inspection.
Fragment Out Of Bounds	The offset(s) specified in a fragmented packet sequence is/are outside the range of the maximum size of a datagram.	N/A
Fragmented	A fragmented packet was encountered with deny fragmented packets disallowed enabled.	N/A
Internal Driver Error	Insufficient resources.	Add more system resources to fix this issue.
Internal States Error	Internal TCP stateful error.	Internal TCP stateful error, can be disabled by TCP - unclick Enable TCP stateful inspection.
Invalid ACK	A packet with an invalid acknowledgement number was encountered.	Verify the Acknowledgment number of the TCP header.
Invalid Adapter Configuration	An invalid adapter configuration has been received.	Reconfigure the adapter settings.
Invalid Data Offset	Invalid data offset parameter	Check the data offset parameter in network capture case by case.
Invalid Flags	Flag(s) set in packet is/are invalid. This could be due to a flag that does not make sense within the context of a current connection (if any), or due to a nonsensical combination of flags. (Stateful Configuration must be set to “ON” for connection context to be assessed.)	This alert can be raised with multiple reasons, check case by case.
Invalid IP	The source IP of the packet is not valid.	To allow such packets, customer can change Allow Null IP in Network Engine setting in Deep Security to Yes.
Invalid IP Datagram Length	The length of the IP datagram is less than the length specified in the IP header.	N/A
Invalid Port Command	An invalid FTP port command was encountered in the FTP control channel data stream.	Capture the traffic for detailed analysis.
Invalid Sequence	A packet with an invalid sequence number or out-of-window data size was encountered.	Capture the traffic for detailed analysis.
Invalid IP Header Length	An invalid IP header length (< 5*4 = 20) is set in the IP header.	N/A
IP Version Unknown	An IP packet other than IPv4 or IPv6 was encountered.	Capture the traffic for detailed analysis or ignore this alert.
IPv6 Packet	An IPv6 Packet was encountered, and IPv6 blocking is enabled.	Change "Block IPv6 on Agents and Appliances versions 9 and later" in Deep Security to No to allow IPv6. For older version, IPv6 is not supported, but customer still can change to allow.
Max Incoming Connections	The number of incoming connections exceeded the maximum number of connections allowed.	In Deep Security Firewall > Firewall Stateful Configurations, click Edit, then in TCP tab, increase the incoming connection number.
Max Outgoing Connections	The number of outgoing connections exceeded the maximum number of connections allowed.	In Deep Security Firewall > Firewall Stateful Configurations, click Edit, then in TCP tab, increase the incoming connection number.
Max SYN Sent	The number of half open connections from a single computer exceeded that of the specified in the stateful configuration.	This event can be ignored if there is no impact to server's service. Customer can increase the threshold. In Deep Security Firewall > Firewall Stateful Configurations, click Edit, then in TCP tab, increase the incoming connection number. But do not make it too large, otherwise the server will be vulnerable to DoS attack.
Maximum ACK Retransmit	This retransmitted ACK packet exceeded the ACK storm protection threshold.	It is possible that some host is attacking the server. Check the event source to verify if it is legimate. If it is legimate, customer can enlarge the threshold. In Deep Security Firewall > Firewall Stateful Configurations, click Edit, then in TCP tab, increase the number for ACK storm protection.
No IP Header	The Ethernet header declares the packet as an IP, but the packet is too small to be considered. In some scenarios, the event is triggered is because the IPv4 header is null or the IPv6 header is missing from the whole packet.	If the traffic is safe, create a firewall bypass rule for such traffic. If not, let the packet be dropped as it is malicious.
Out Of Allowed Policy	The packet did not meet any of the Allow or Force Allow rules and so was implicitly denied.	If the traffic blocked is supposed to be allowed, use these events to ensure proper firewall rules are created to allow the traffic through.
Out Of Connection	A packet was received that was not associated with an existing connection.	If the session is still established but we have already flushed it out of our state table, the reason in FW events would be Out of Connection when it drops the packet.
Overlapping Fragment	This packet fragment overlaps a previously sent fragment.	N/A
Packet on Closed Connection	A packet belonging to a connection that was already closed was received.	It means still receiving packet although the connection was closed. It can be set in ignored status.
Same Source and Destination IP	Source and destination IPs were identical.	“Same Source and Destination IP” means the packet has the same source and destination IP address. It cannot be fixed by bypass rules.
SYN Cookie Error	The SYN cookies protection mechanism encountered an error.	N/A
Unknown IP Version	Unrecognized IP version	This alert cannot be fixed by bypass rules, while the IP version cannot be identified.
Unreadable Ethernet Header	Data contained in this Ethernet frame is smaller than the Ethernet header.	N/A
Unreadable IPv4 Header	The packet contains an unreadable IPv4 header.	Customer should first ensure that the network using readable IPV4 traffic.
Unreadable Protocol Header	The packet contains an unreadable TCP, UDP or ICMP header.	Capture the traffic for analysis or ignore this error.
Unsolicited ICMP	ICMP stateful has been enabled (in stateful configuration) and an unsolicited packet that does not match any Force Allow rules was received.	To disable this alert, you need to adjust the stateful configuation: ICMP > Click Enable stateful ICMP inspection in Deep Security.
Unsolicited UDP	Incoming UDP packets that were not solicited by the computer are rejected.	To disable this alert, you need to adjust the stateful configuation: UDP > Click Enable stateful UDP inspection in Deep Security.
Null IP	A NULL (0.0.0.0) IP is not allowed by the present firewall configuration.	N/A

Apex One Vulnerability Protection customers can configure the engine to ignore status codes in the event of false positives. Perform the following:

Log in to Apex Central / Apex One as a Service.
Go to Policy > Policy Management.
Select the associated policy.
Go to Vulnerability Protection Settings.
Click Network Engine Settings.
Select the detection in Ignore Status Code.
Click Deploy.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Understanding firewall events generated in Deep Security and Apex One Vulnerability Protection

Understanding firewall events generated in Deep Security and Apex One Vulnerability Protection

Product / Version includes:

Summary