• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

How to enable logging for dropped packets ?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Logging and Reporting >> How to enable logging for dropped packets ? Page: [1]
Login
Message << Older Topic   Newer Topic >>
How to enable logging for dropped packets ? - 20.Apr.2004 2:45:00 PM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
ISA Server detected a spoof attack from Internet Protocol (IP) address 172.16.1.3. A spoof attack occurs when an IP address that is not reachable via the interface on which the packet was received. If logging for dropped packets is set, you can view details in the packet filter log.
----

Since I expect this result to come from our NLB setup , I want to disable spoof detection for certain IP Addresses ( 172.16.1.0/24 ) but I can't seem to find an option to set the logging for dropped packets ?

<maybe I'm getting blind...>

Kind regards,
Lex P.
Post #: 1
RE: How to enable logging for dropped packets ? - 21.Apr.2004 1:24:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Lex,

There was a mechanism to do this in ISA 2000, have you tried that one? Don't know if it would work, but its worth a try.

Why do you think this is expected with NLB? I've run ISA 2000 with NLB and didn't see spoofs.

HTH,
Tom

(in reply to penrose.l@2college.nl)
Post #: 2
RE: How to enable logging for dropped packets ? - 22.Apr.2004 9:43:00 PM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
Hi Tom ,

with 2 NLB nodes we didn't find any problems.
However , more than 3 NLB nodes in a cluster will start reporting these errors.

We use Rainwall ( eval ) and it's really a nice product but it uses a NIC to sync it's data over ( 172.16.x.x in our case ). Somehow the other nics ALSO report over this nic. This gives the spoof errors.

btw : I tried adding the DWORD key 'SpoofDetection' and set it to 0 but it didn't work. I guessed they changed it [Smile] )

Kind regards,
Lex P.

(in reply to penrose.l@2college.nl)
Post #: 3
RE: How to enable logging for dropped packets ? - 22.Apr.2004 11:54:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Lex,

Thanks for the info. I'm still trying to find out how to block the spoof errors. I let you know when I find out.

Thanks!
Tom

(in reply to penrose.l@2college.nl)
Post #: 4
RE: How to enable logging for dropped packets ? - 14.May2004 10:05:00 AM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
Hi Tom ,

Ok we found a way to enable logging for dropped packets. It appears we have been using a wrong build of ISA 2004 Beta 2 all the time.
In the ISA 2004 RC version which we have acquired there's a simple option to turn logging on for dropped packets exactly where you'd expect it.

So the solution is to wait for the ISA 2004 final version [Smile] )

Kind regards,
Lex P.

(in reply to penrose.l@2college.nl)
Post #: 5
RE: How to enable logging for dropped packets ? - 16.May2004 6:15:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Lex,

Very good! Thanks for the update!

Tom

(in reply to penrose.l@2college.nl)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Logging and Reporting >> How to enable logging for dropped packets ? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts