PM 11 - how to supress client alerts
With a recent Policy manager 11 install and reconfiguration i am struggling to supress one specific message.
The alert that is showing up for the user is a "Firewall alert, Description: Suspiciously small datagram fragment. possibley a fragmentation attack". This is shown with a yellow exclamation mark.
I have unticked every option on the policy manager for "alert sending" and "local user interface" I have also set the alert severity to "no alerting" in the Firewall security levels.
These alerts still keep poping up on the clients running 11.5 client secuirty Premium.
Any help would be great
This type of alerts might be related to a DDoS. If they appear on a network, they might be sign of a broken or wrongly configured router.
Please investigate the issue on a network level before applying the modification below. In practice packet with a size below 128 bytes are normally inefficient(ratio data/data+headers ).
To get rid of the alert, you can change the minimum size of the fragment to 0.
This setting is in the Policy Manager in advanced mode under Internet Shield>Settings>Firewall Engine> Minimum fragment size.
All configuration you already done dont stop alerts dialogs in the user interface. To stop the alerts you need turn off Show Alerts Dialogs If No User = Disabled
PS: This configuration just stop show the alerts in the user interface. This configuration dont stop the eventually attacks!
Roberto Chu1 1Like
For this configuration, you need create a server group and workstation group. In the server group you keep enabled the Show Alert Dialogs If No User and the Workstation group you disable the Show Alert Dialogs If No User.
Example of Workstation configuration:
Dont forget put the workstation machines inside workstation group and server machines inside servers group.
Its important remember its all the alerts will keep logging in the Policy Manager in the alert tab.
Roberto Chu1 1Like
> "Firewall alert, Description: Suspiciously small datagram fragment. possibley a fragmentation attack".
This type of error message had been common in Hungary for many users of F-Secure protection, who accessed the net over GSM mobile data connections. (That time mobile net providers did other funny things, like giving end users 10.som.eth.ing IP addresses so they couldn't teamgame FPS or download P2P and overload the small bandwidth.)
This was in the era many years ago, when IS/DFW personal firewall module was still included in the F-Secure home-user products, as well as the FSCS corporate product.
The solution was to reduce the size of smallest allowed IP fragment from 128, maybe even zero it out to disable such filtering. This can be done in the PMC centrally or the end-point local UI, unless the secadmin decided to grey it out.
Best Regards: Tamas Feher.