Firewall Alert in log buffer...cause for Concern?

dan hale · ‎08-04-2012

I'm getting this in my log buffer off my Cisco 2800 ISR. Seems like a firewall alert and I've looked it up but, having a hard time really understanding what this really means.

Should I be worried about this?

Aug 2 18:27:56.380: %FW-4-ALERT_ON: getting aggressive, count (3/500) current 1-min rate: 501

Aug 2 18:28:29.792: %FW-4-ALERT_OFF: calming down, count (0/400) current 1-min rate: 84

Ramraj Sivagnanam Sivajanam · ‎08-16-2012

Hi Bro

Yes, you should be worried but you don't have to loose your cool over this. After all, this message is informational only, but I do believe you’re seeing this message very often. This may indicate a network attack. For further details on this, please refer to this URL http://www.cisco.com/en/US/docs/ios/11_3/feature/guide/firewall.html

This message indicates that CBAC has detected and blocked DOS attacks and it’s notifying you when DOS attacks occurred e.g. Aug 2 18:27 - Aug 2 18:28 (1 Minute). This is a good thing. When a pair of %FW-4-ALERT_ON and %FW-4-ALERT_OFF messages appears together, each "aggressive/calming" pair of messages indicates a separate network attack.

I’m guessing either the max-incomplete high threshold of half-open connections or the new connection initiation rate has been exceeded. This message is issued only when the max-incomplete high threshold is crossed.

To tune the values, please refer to this URL https://supportforums.cisco.com/docs/DOC-1939

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam