NS-25 Event Alarm

  • I have recently become the network admin at a company that utilizes a Netscreen NS-25 firwall. I do not have any prior experience with this device nor have I been able to find the documentation. So please be patient. We have a VPN tunnel established between one of our servers and a server at a 3rd party company. The connection is up and running and everything seems fine. Today I started to receive Event Alarms stating the following:
    [00001] 2006-02-03 15:49:02 system-critical-00033: Destination session threshold has been exceeded!, From to, using protocol TCP (on zone Trust,interface ethernet1) occurred 2 times

    Can anyone please explain this message to me exactly. The 1st IP is my server, the 2nd IP is the 3rd party companies. Is the 1133 & 445 the ports?

    What usually causes these alarms?

    Thanks for any help.

  • Engineer

    This is DoS protection. You can tune the settings under Network->Zones->Trust->Screen, Destination IP Based Session Limit. Netscreen documentation describes the use of this protection is at the end this post-

    According to the alarm events, the TCP 445 is NetBIOS traffic. If this is legimate traffic and you think it’s normal for the 1st server to create that much sessions (default 128) to the 2nd server, you can adjust the session threshold to a higher number to suit for your need. Once the threshold has been reached, the protection will prevent more sessions to be created for that 1st server to the 2nd server.

    Destination IP Based Session Limit

    This option limits the number of sessions to a single IP address. After the number of sessions to the same destination IP address has reached the session threshold, the NetScreen device rejects any further attempts to initiate a session to that IP address. By default, the threshold is 128 sessions per IP address. You can change the threshold (to any number from 1 to 49,999) to better suit the needs of your network environment.

    This SCREEN option helps defend against distributed denial-of-service (DDoS) attacks targeting a single IP address. Such attacks attempt to fill up the session table on the NetScreen device to the point where it can no longer process legitimate connection requests.