Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

IDP: IP-Block doesn't seem to block the current connections

0

0

Article ID: KB6325 KB Last Updated: 26 Dec 2012Version: 4.0
Summary:
IDP: IP-Block doesn't seem to block the current connections
Symptoms:
Problem
  • IP-Block doesn't seem to block the current connections
  • Trying to block scans with IP-action
  • I installed an IP-block action on a rule, and after installing a policy containing this rule, I'm still seeing the IDP only logging the scans, and not blocking them.
Environment:
  • IP-Action
  • IP-Block functionality
  • IP Action is for *future* connections.
  • IDP UI
  • policy

.

Cause:

Solution:

IDP Block is an IP action that tells IDP to drop future connections that match the criteria set in the Blocking Options after the rule is matched.

To resolve this problem:

Go to the UI (gui) main tool bar, select 'View', and then 'Choose Columns' and verify that you have the policy id, policy version, and rule number columns selected.

Using IDP-Block functionality:
when the scan is seen by the IDP for the first time, the IDP will report that a scan is in progress/detected. Next, the IDP will add the 'source-ip' to the block table. Remember, IP Action is for *future* connections.

If you run the scan, stop it, wait for the 'scan-detected' log and then try to scan again, you will see that the scan won't go through.

Causes of this problem:

  • We set-up and installed a policy that contained a rule like so:Source:     Any
    Destination: Any
    TrafiicAno:    detect
    IP Action:      IDP Block
    Blocking option:    Source
    Logging:                yes
    Timeout:            2400
    Notification:   logging/AlarmAnd then we attack to trusted server from untrusted PC using portscaner tool. The result is .....IDP can understand the portscans and logs it, but all traffic passed IDP, and we are not blocking the current connections.

Additional Information:

Here is how port scan detection works:

When you configure traffic anomaly rulebase to detect port scans, the IDP system counts the number of ports scanned from the same Source IP address in a specified time period (it's configurable in Traffic Anomalies dialog) and uses this traffic flow analysis to identify scans.

For example, if you keep the default settings for TCP and UDP port scans (port count is set to 20 and the Time Threshold to 120 seconds). This rule is matched if
* the same Source IP scans 20 TCP ports in a time period of 120 seconds
* the same Source IP scans 20 UDP ports in a time period of 120 seconds. 

It may be possible that the scans are referencing a past policy. The IP-Action is for FUTURE connections.



Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search