Deep Security – Ignoring Status Code

In Trend Micro Deep Security Manager, you are getting a lot of firewall events with “Deny” actions that are affecting some of your applications – even though the firewall module is not enabled.

capture

The following are the events that may show up (taken from https://success.trendmicro.com/solution/1060429).

Event Details Recommended Action
CE Flags The CWR or ECE flags were set and the stateful configuration specified that these packets should be denied. This warning appears when you enable the option in Enable Stateful Inspection > TCP > Deny TCP packets containing CWR, ECE flags. If the customer wants to remove the error, disable this option.
Dropped Retransmit This status means the network engine detected a TCP transmission which content is different from what it sends initially. There are different types of the log in the note field: prev-full, prev-part, next-full and next-part. These are set based on the location of the changed content in the TCP stream.The network engine checks it by comparing the packet data we queued in engine’s connection buffer to the one re-transmitted. If the changed area is located in the closest queued packet, it will be “prev-full” or “prev-part”. We set it as “prev-full” if this queued packet contains all the corresponding data in the re-transmitted packet. Otherwise, it is “prev-part”.

Sometimes, the change occurs not in the closest packets but following ones. We set it as “next-full” if the the-transmitted packet contains all of the corresponding data in this queued packet. Otherwise, it is “next-part”

This alert can be avoided by creating firewall bypass rules.
First Fragment Too Small A fragmented packet was encountered and the size of the fragment is less than the size of a TCP packet (no data). “First fragment too small” is a packet which is dropped when it has the following configuration:

  • MF flag = 1
  • Offset value = 0
  • Total length (maximum combined header length) = less than 120 bytes.

Update the Minimum Fragment size in Network engine to a lower value or “0” to turn off this inspection.

Fragment Offset Too Small The offset(s) specified in a fragmented packet sequence is/are less than the size of a valid datagram. Update the Minimum Fragment offset in Network engine to a lower value or “0” to turn off this inspection.
Fragment Out Of Bounds The offset(s) specified in a fragmented packet sequence is/are outside the range of the maximum size of a datagram. N/A
Fragmented A fragmented packet was encountered with deny fragmented packets disallowed enabled. N/A
Internal Driver Error Insufficient resources. Add more system resources to fix this issue.
Internal States Error Internal TCP stateful error. Internal TCP stateful error, can be disabled by TCP – unclick Enable TCP stateful inspection.
Invalid ACK A packet with an invalid acknowledgement number was encountered. Verify the Acknowledgment number of the TCP header.
Invalid Adapter Configuration An invalid adapter configuration has been received. Reconfigure the adapter settings.
Invalid Data Offset Invalid data offset parameter Check the data offset parameter in network capture case by case.
Invalid Flags Flag(s) set in packet is/are invalid. This could be due to a flag that does not make sense within the context of a current connection (if any), or due to a nonsensical combination of flags. (Stateful Configuration must be set to “ON” for connection context to be assessed.) This alert can be raised with multiple reasons, check case by case.
Invalid IP The source IP of the packet is not valid. To allow such packets, customer can change Allow Null IP in Network Engine setting to Yes.
Invalid IP Datagram Length The length of the IP datagram is less than the length specified in the IP header. N/A
Invalid Port Command An invalid FTP port command was encountered in the FTP control channel data stream. Capture the traffic for detailed analysis.
Invalid Sequence A packet with an invalid sequence number or out-of-window data size was encountered. Capture the traffic for detailed analysis.
Invalid IP Header Length An invalid IP header length (< 5*4 = 20) is set in the IP header. N/A
IP Version Unknown An IP packet other than IPv4 or IPv6 was encountered. Capture the traffic for detailed analysis or ignore this alert.
IPv6 Packet An IPv6 Packet was encountered, and IPv6 blocking is enabled. Change “Block IPv6 on Agents and Appliances verions 9 and later” toNo to allow IPv6. For older version, IPv6 is not supported, but customer still can change to allow.
Max Incoming Connections The number of incoming connections exceeded the maximum number of connections allowed. In Firewall > Firewall Stateful Configurations, click Edit, then in TCP tab, increase the incoming connection number.
Max Outgoing Connections The number of outgoing connections exceeded the maximum number of connections allowed. In Firewall > Firewall Stateful Configurations, click Edit, then in TCP tab, increase the incoming connection number.
Max SYN Sent The number of half open connections from a single computer exceeded that of the specified in the stateful configuration. This event can be ignored if there is no impact to server’s service. Customer can increase the threshold.

In Firewall > Firewall Stateful Configurations, click Edit,then in TCP tab, increase the half open connection number. But do not make it too large, otherwise the server will be vulnerable to DoS attack.

Maximum ACK Retransmit This retransmitted ACK packet exceeded the ACK storm protection threshold. It is possible that some host is attacking the server. Check the event source to verify if it is legimate. If it is legimate, customer can enlarge the threshold.

In Firewall > Firewall Stateful Configurations, click Edit, then in TCP tab, increase the number for ACK storm protection.

Out Of Allowed Policy The packet did not meet any of the Allow or Force Allow rules and so was implicitly denied. This alert can be ignored.
Out Of Connection A packet was received that was not associated with an existing connection. If the session is still established but we have already flushed it out of our state table, the reason in FW events would be Out of Connection when it drops the packet.
Overlapping Fragment This packet fragment overlaps a previously sent fragment. N/A
Packet on Closed Connection A packet belonging to a connection that was already closed was received. It means still receiving packet although the connection was closed. It can be set in ignored status.
Same Source and Destination IP Source and destination IPs were identical. “Same Source and Destination IP” means the packet has the same source and destination IP address. It cannot be fixed by bypass rules.
SYN Cookie Error The SYN cookies protection mechanism encountered an error. This alert can be ignored.
Unknown IP Version Unrecognized IP version This alert cannot be fixed by bypass rules, while the IP version cannot be identified.
Unreadable Ethernet Header Data contained in this Ethernet frame is smaller than the Ethernet header. This alert can be ignored.
Unreadable IPv4 Header The packet contains an unreadable IPv4 header. Customer should first ensure that the network using readable IPV4 traffic.
Unreadable Protocol Header The packet contains an unreadable TCP, UDP or ICMP header. Capture the traffic for analysis or ignore this error.
Unsolicited ICMP ICMP stateful has been enabled (in stateful configuration) and an unsolicited packet that does not match any Force Allow rules was received. To disable this alert, you need to adjust the stateful configuation: ICMP > Click Enable stateful ICMP inspection.
Unsolicited UDP Incoming UDP packets that were not solicited by the computer are rejected. To disable this alert, you need to adjust the stateful configuation: UDP > Click Enable stateful UDP inspection.
Null IP A NULL (0.0.0.0) IP is not allowed by the present firewall configuration. N/A

If you want to allow the events on your Trend Micro Deep Security firewall:

  1. Log in to Deep Security Manager
  2. Double-click on the Computer or Policy that is being affected.
  3. Click “Settings”
  4. Click “Network Engine” tab.
  5. Under “Advanced Network Engine Settings”, uncheck “Default”.
  6. Scroll down to “Ignore Status Code”, and select the event that you wish to ignore. For example, in my case, I want to ignore “Invalid IP Datagram Length”.
    Capture1.PNG
  7. Click “Save”.