Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Firewall Alert in log buffer...cause for Concern?

I'm getting this in my log buffer off my Cisco 2800 ISR. Seems like a firewall alert and  I've looked it up but, having a hard time really understanding what this really means.

Should I be worried about this?

Aug  2 18:27:56.380: %FW-4-ALERT_ON: getting aggressive, count (3/500) current 1-min rate: 501

Aug  2 18:28:29.792: %FW-4-ALERT_OFF: calming down, count (0/400) current 1-min rate: 84

Everyone's tags (1)

Firewall Alert in log buffer...cause for Concern?

Hi Bro

Yes, you should be worried but you don't have to loose your cool over this. After all, this message is informational only, but I do believe you’re seeing this message very often. This may indicate a network attack. For further details on this, please refer to this URL

This message indicates that CBAC has detected and blocked DOS attacks and it’s notifying you when DOS attacks occurred e.g. Aug 2 18:27 - Aug 2 18:28 (1 Minute). This is a good thing. When a pair of %FW-4-ALERT_ON and %FW-4-ALERT_OFF messages appears together, each "aggressive/calming" pair of messages indicates a separate network attack.

I’m guessing either the max-incomplete high threshold of half-open connections or the new connection initiation rate has been exceeded. This message is issued only when the max-incomplete high threshold is crossed.

To tune the values, please refer to this URL

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
CreatePlease to create content