Firewall event descriptions

ID Event Notes
100 Out Of Connection A packet was received that was not associated with an existing connection.
101 Invalid Flags

Flag(s) set in a packet were invalid. This event can indicate that a flag does not make sense within the context of a current connection (if any), or that a nonsensical combination of flags.

"Firewall Stateful Configuration" must be On for connection context to be assessed.

102 Invalid Sequence A packet with an invalid sequence number or out-of-window data size was encountered.
103 Invalid ACK A packet with an invalid acknowledgment number was encountered.
104 Internal Error  
105 CE Flags A packet has congestion flags set and the policy's Anti Evasion settings use a custom configuration where the TCP Congestion Flags property is set to Log or Deny. (See Anti-Evasion Posture: The anti-evasion setting controls the network engine handling of abnormal packets that may be attempting to evade analysis. There are three options for the posture setting. This setting can be inherited from the parent policy:Normal: This is the default setting. It is tuned to prevent the evasion of IPS rules, without false positives. Strict: Strict mode performs more stringent checking than Normal mode but it could result in some false-positive results. Strict mode is useful for penetration testing but should not be enabled under normal circumstances. Custom: If you select Custom, additional settings are available that enable you to specify how Deep Security will handle issues with packets. For these settings (with the exception of TCP Timestamp PAWS Window), the options are Allow (Deep Security sends the packet through to the system), Log Only (same behavior as Allow, but an event is logged), Deny (Deep Security drops the packet and logs an event), or Deny Silent (same behavior as Deny, but no event is logged): Custom: If you select Custom, additional settings are available that enable you to specify how Deep Security will handle issues with packets. For these settings (with the exception of TCP Timestamp PAWS Window), the options are Allow (Deep Security sends the packet through to the system) or Deny Silent (same behavior as Deny, but no event is logged):.)
106 Invalid IP Packet's source IP was not valid.
107 Invalid IP Datagram Length The length of the IP datagram is less than the length specified in the IP header.
108 Fragmented A fragmented packet was encountered and fragmented packets are not allowed.
109 Invalid Fragment Offset  
110 First Fragment Too Small

A fragmented packet was encountered, and the size of the first fragment is less than the size of a TCP packet (no data).

A packet is dropped with this event when the packet header has the following configuration:

  • Fragment Offset = 0 (The fragment is the first in the packet)
  • Total length (maximum combined header length) < 120 bytes (the default allowed minimum fragment size)

To prevent this event from occurring, configure the policy's Advanced Network Engine settings to use a lower value for the Minimum Fragment Size property, or set it to 0 to turn off this inspection. (See Advanced Network Engine Options: If you deselect the Inherited check box, you can customize these settings:CLOSED timeout: For gateway use. When a gateway passes on a "hard close" (RST), the side of the gateway that received the RST will keep the connection alive for this amount of time before closing it.SYN_SENT Timeout: How long to stay in the SYN-SENT state before closing the connection.SYN_RCVD Timeout: How long to stay in the SYN_RCVD state before closing the connection.FIN_WAIT1 Timeout: How long to stay in the FIN-WAIT1 state before closing the connection.ESTABLISHED Timeout: How long to stay in the ESTABLISHED state before closing the connection.ERROR Timeout: How long to maintain a connection in an Error state. (For UDP connections, the error can be caused by any of a variety of UDP problems. For TCP connections, the errors are probably due to packets being dropped by the firewall.)DISCONNECT Timeout: How long to maintain idle connections before disconnecting.CLOSE_WAIT Timeout: How long to stay in the CLOSE-WAIT state before closing the connection.CLOSING Timeout: How long to stay in the CLOSING state before closing the connection.LAST_ACK Timeout: How long to stay in the LAST-ACK state before closing the connection.ACK Storm timeout: The maximum period of time between retransmitted ACKs within an ACK Storm. In other words, if ACKs are being retransmitted at a lower frequency then this timeout, they will NOT be considered part of an ACK Storm.Boot Start Timeout: For gateway use. When a gateway is booted, there may already exist established connections passing through the gateway. This timeout defines the amount of time to allow non-SYN packets that could be part of a connection that was established before the gateway was booted to close.Cold Start Timeout: Amount of time to allow non-SYN packets that could belong to a connection that was established before the stateful mechanism was started.UDP Timeout: Maximum duration of a UDP connection.ICMP Timeout: Maximum duration of an ICMP connection.Allow Null IP: Allow or block packets with no source or destination IP address.Block IPv6 on Agents and Appliances versions 8 and earlier: Block or Allow IPv6 packets on older version 8.0 agents and appliances. Deep Security Agents and Appliances versions 8.0 and older are unable to apply firewall or DPI rules to IPv6 network traffic and so the default setting for these older versions is to block IPv6 traffic. Block IPv6 on Agents and Appliances versions 8 and earlier: Block or Allow IPv6 packets on older version 8.0 Agents and Appliances. Deep Security Agents and Appliances versions 8.0 and older are unable to apply firewall or DPI Rules to IPv6 network traffic and so the default setting for these older versions is to block IPv6 traffic. Block IPv6 on Agents and Appliances versions 9 and later: Block or Allow IPv6 packets on agents and appliances that are version 9 or later.Connection Cleanup Timeout: Time between cleanup of closed connections (see next).Maximum Connections per Cleanup: Maximum number of closed connections to cleanup per periodic connection cleanup (see previous).Block Same Src-Dest IP Address: Block or allow packets with same source and destination IP address. (Doesn't apply to loopback interface.)Maximum TCP Connections: Maximum simultaneous TCP Connections.Maximum UDP Connections: Maximum simultaneous UDP Connections.Maximum ICMP Connections: Maximum simultaneous ICMP Connections.Maximum Events per Second: Maximum number of events that can be written per second.TCP MSS Limit: The MSS is the Maximum Segment Size (or largest amount of data) that can be sent in a TCP packet without being fragmented. This is usually established when two computers establish communication. However, in some occasions, the traffic goes through a router or switch that has a smaller MSS. In this case the MSS can change. This causes retransmission of the packets and the agent or appliance logs them as "Dropped Retransmit". In cases where there are large numbers of dropped retransmit event entries, you may wish to lower this limit and see if the volume is reduced. Number of Event Nodes: The maximum amount of kernel memory the driver will use to store log/event information for folding at any one time. Event folding occurs when many events of the same type occur in succession. In such cases, the agent/appliance will "fold" all the events into one. Ignore Status Code: This option lets you ignore certain types of events. If, for example, you are getting a lot of "Invalid Flags" you can simply ignore all instances of that event.Ignore Status Code: Same as above.Ignore Status Code: Same as above.Advanced Logging Policy:Bypass: No filtering of events. Overrides the "Ignore Status Code" settings (above) and other advanced settings, but does not override logging settings defined in the Deep Security Manager. For example, if firewall stateful configuration logging options set from a Firewall Stateful Configuration Properties window in the Deep Security Manager will not be affected.Normal: All events are logged except dropped retransmits.Default: Will switch to "Tap Mode" (below) if the engine is in tap mode, and will switch to "Normal" (above) if the engine is in inline mode. Backwards Compatibility Mode: For support use only.Verbose Mode: Same as "Normal" but including dropped retransmits.Stateful and Normalization Suppression: Ignores dropped retransmit, out of connection, invalid flags, invalid sequence, invalid ack, unsolicited udp, unsolicited ICMP, out of allowed policy.Stateful, Normalization, and Frag Suppression: Ignores everything that "Stateful and Normalization Suppression" ignores as well as events related to fragmentation.Stateful, Frag, and Verifier Suppression: Ignores everything "Stateful, Normalization, and Frag Suppression" ignores as well as verifier-related events.Tap Mode: Ignores dropped retransmit, out of connection, invalid flags, invalid sequence, invalid ack, max ack retransmit, packet on closed connection. For a more comprehensive list of which events are ignored in Stateful and Normalization Suppression; Stateful, Normalization, and Frag Suppression; Stateful, Frag, and Verifier Suppression; and Tap modes, see Reduce the number of logged events. Silent TCP Connection Drop: When Silent TCP Connection Drop is on, a RST packet is only sent to the local stack. No RST packet is sent on the wire. This reduces the amount of information sent back to a potential attacker. If you enable the Silent TCP Connection Drop you must also adjust the DISCONNECT Timeout. Possible values for DISCONNECT Timeout range from 0 seconds to 10 minutes. This must be set high enough that the connection is closed by the application before it is closed by the Deep Security agent/appliance. Factors that will affect the DISCONNECT Timeout value include the operating system, the applications that are creating the connections, and network topology. Enable Debug Mode: When in debug mode, the agent/appliance captures a certain number of packets (specified by the setting below: Number of Packets to retain in Debug Mode). When a rule is triggered and debug mode is on, the agent/appliance will keep a record of the last X packets that passed before the rule was triggered. It will return those packets to the manager as debug events. Debug mode can very easily cause excessive log generation and should only be used under Client Services supervision.Number of Packets to retain in Debug Mode: The number of packets to retain and log when debug mode is on.Log All Packet Data: Record the packet data for events that are not associated with specific firewall or intrusion prevention rules. That is, log packet data for events such as "Dropped Retransmit" or "Invalid ACK". Events that have been aggregated because of event folding cannot have their packet data saved.Log only one packet within period: If this option is enabled and Log All Packet Data is not, most logs will contain only the header data. A full packet will be attached periodically, as specified by the Period for Log only one packet within period setting.Period for Log only one packet within period: When Log only one packet within period is enabled, this setting specifies how often the log will contain full packet data.Maximum data size to store when packet data is captured: The maximum size of header or packet data to be attached to a log.Generate Connection Events for TCP: Generates a firewall event every time a TCP connection is established.Generate Connection Events for ICMP: Generates a firewall event every time an ICMP connection is established.Generate Connection Events for UDP: Generates a firewall event every time a UDP connection is established.Bypass CISCO WAAS Connections: This mode bypasses stateful analysis of TCP sequence numbers for connections initiated with the proprietary CISCO WAAS TCP option selected. This protocol carries extra information in invalid TCP Sequence and ACK numbers that interfere with stateful firewall checks. Only enable this option if you are using CISCO WAAS and you are seeing connections with Invalid SEQ or Invalid ACK in the firewall logs. When this option is selected, TCP stateful sequence number checks are still performed for non WAAS enabled connections.Drop Evasive Retransmit: Incoming packets containing data that has already been processed will be dropped to avoid possible evasive retransmit attack techniques.Verify TCP Checksum: The segment's checksum field data will be used to assess the integrity of the segment.Minimum Fragment Offset: Defines the minimum acceptable IP fragment offset. Packets with offsets less than this will be dropped with reason "IP fragment offset too small". If set to 0 no limit is enforced. (default 60)Minimum Fragment Size: Defines the minimum acceptable IP fragment size. Fragmented packets that are smaller than this will be dropped with reason "First fragment too small" as potentially malicious. (default 120)SSL Session Size: Sets the maximum number of SSL session entries maintained for SSL session keys.SSL Session Time: Sets how long SSL session renewal keys are valid before they expire.Filter IPv4 Tunnels: Not used by this version of Deep Security.Filter IPv6 Tunnels: Not used by this version of Deep Security.Strict Teredo Port Check: Not used by this version of Deep Security.Drop Teredo Anomalies: Not used by this version of Deep Security.Maximum Tunnel Depth: Not used by this version of Deep Security.Action if Maximum Tunnel Depth Exceeded: Not used by this version of Deep Security.Drop IPv6 Extension Type 0: Not used by this version of Deep Security.Drop IPv6 Fragments Lower Than minimum MTU: Drop IPv6 fragments that do not meet the minimum MTU size specified by IETF RFC 2460.Drop IPv6 Reserved Addresses: Drop these reserved addresses: IETF reserved 0000::/8IETF reserved 0100::/8IETF reserved 0200::/7IETF reserved 0400::/6IETF reserved 0800::/5IETF reserved 1000::/4IETF reserved 4000::/2IETF reserved 8000::/2IETF reserved C000::/3IETF reserved E000::/4IETF reserved F000::/5IETF reserved F800::/6Drop IPv6 Site Local Addresses: Drop site local addresses FEC0::/10.Drop IPv6 Bogon Addresses: Drop these addresses: "loopback ::1"IPv4 compatible address", ::/96"IPv4 mapped address" ::FFFF:0.0.0.0/96"IPv4 mapped address", ::/8"OSI NSAP prefix (deprecated by RFC4048)" 0200::/7"6bone (deprecated)", 3ffe::/16"Documentation prefix", 2001:db8::/32 Drop 6to4 Bogon Addresses: Drop these addresses: "6to4 IPv4 multicast", 2002:e000:: /20"6to4 IPv4 loopback", 2002:7f00:: /24"6to4 IPv4 default", 2002:0000:: /24"6to4 IPv4 invalid", 2002:ff00:: /24"6to4 IPv4 10.0.0.0/8", 2002:0a00:: /24 "6to4 IPv4 172.16.0.0/12", 2002:ac10:: /28"6to4 IPv4 192.168.0.0/16", 2002:c0a8:: /32Drop IP Packet with Zero Payload: Drop IP packets that have a zero-length payload. Drop Unknown SSL Protocol: Drop connection if a client attempts to connect to the Deep Security Manager with the wrong protocol. By default, any protocol other than "http/1.1" will cause an error.Force Allow DHCP DNS: Controls whether the following hidden firewall rules are enabled: Rule typePriorityDirectionProtocolSourceportDestinationportForce Allow4OutgoingDNSAny53Force Allow4OutgoingDHCP6867Force Allow4IncomingDHCP6768When the rules are enabled, agent computers can connect with the manager using the listed protocols and ports. The following values for this property are available:Inherited: Inherits the setting from the policyTurn off rules: Disables the rules. Note that this setting can cause agent computers to appear offlineAllow DNS Query: Enable only the DNS-related ruleAllow DNS Query and DHCP Client: Enable all 3 rulesForce Allow ICMP type3 code4: Controls whether the following hidden firewall rules are enabled: Rule typePriorityDirectionProtocolTypeCodeForce Allow4IncomingICMP34When enabled, these rules allow relay computers to connect with the manager so that the relay's heartbeat is transmitted. The following values are available:Inherited: Inherits the setting from the policy. Turn off rules: Disables the rule. This value can cause connection timeouts or "Destination cannot be reached" responses.Add Force Allow rule for ICMP type3 code4: Enables the rule.Fragment Timeout: If configured to do so, the intrusion prevention rules will inspect the content of a packet (or packet fragment) if that content is considered suspicious. This setting determines how long after inspecting to wait for the remaining packet fragments before discarding the packet.Maximum number of fragmented IP packets to keep: Specifies the maximum number of fragmented packets that Deep Security will keep.Send ICMP to indicate fragmented packet timeout exceeded: When this setting is enabled and the fragment timeout is exceeded, an ICMP packet is sent to the remote computer..)

111 Fragment Out Of Bounds The offsets(s) specified in a fragmented packet sequence is outside the range of the maximum size of a datagram.
112 Fragment Offset Too Small A fragmented packet was encountered, the size of the fragment was less than the size of a TCP packet (no data).
113 IPv6 Packet An IPv6 Packet was encountered, and IPv6 blocking is enabled. See the "Block IPv6 on Agents and Appliances verions 9 and later" property in Advanced Network Engine Options: If you deselect the Inherited check box, you can customize these settings:CLOSED timeout: For gateway use. When a gateway passes on a "hard close" (RST), the side of the gateway that received the RST will keep the connection alive for this amount of time before closing it.SYN_SENT Timeout: How long to stay in the SYN-SENT state before closing the connection.SYN_RCVD Timeout: How long to stay in the SYN_RCVD state before closing the connection.FIN_WAIT1 Timeout: How long to stay in the FIN-WAIT1 state before closing the connection.ESTABLISHED Timeout: How long to stay in the ESTABLISHED state before closing the connection.ERROR Timeout: How long to maintain a connection in an Error state. (For UDP connections, the error can be caused by any of a variety of UDP problems. For TCP connections, the errors are probably due to packets being dropped by the firewall.)DISCONNECT Timeout: How long to maintain idle connections before disconnecting.CLOSE_WAIT Timeout: How long to stay in the CLOSE-WAIT state before closing the connection.CLOSING Timeout: How long to stay in the CLOSING state before closing the connection.LAST_ACK Timeout: How long to stay in the LAST-ACK state before closing the connection.ACK Storm timeout: The maximum period of time between retransmitted ACKs within an ACK Storm. In other words, if ACKs are being retransmitted at a lower frequency then this timeout, they will NOT be considered part of an ACK Storm.Boot Start Timeout: For gateway use. When a gateway is booted, there may already exist established connections passing through the gateway. This timeout defines the amount of time to allow non-SYN packets that could be part of a connection that was established before the gateway was booted to close.Cold Start Timeout: Amount of time to allow non-SYN packets that could belong to a connection that was established before the stateful mechanism was started.UDP Timeout: Maximum duration of a UDP connection.ICMP Timeout: Maximum duration of an ICMP connection.Allow Null IP: Allow or block packets with no source or destination IP address.Block IPv6 on Agents and Appliances versions 8 and earlier: Block or Allow IPv6 packets on older version 8.0 agents and appliances. Deep Security Agents and Appliances versions 8.0 and older are unable to apply firewall or DPI rules to IPv6 network traffic and so the default setting for these older versions is to block IPv6 traffic. Block IPv6 on Agents and Appliances versions 8 and earlier: Block or Allow IPv6 packets on older version 8.0 Agents and Appliances. Deep Security Agents and Appliances versions 8.0 and older are unable to apply firewall or DPI Rules to IPv6 network traffic and so the default setting for these older versions is to block IPv6 traffic. Block IPv6 on Agents and Appliances versions 9 and later: Block or Allow IPv6 packets on agents and appliances that are version 9 or later.Connection Cleanup Timeout: Time between cleanup of closed connections (see next).Maximum Connections per Cleanup: Maximum number of closed connections to cleanup per periodic connection cleanup (see previous).Block Same Src-Dest IP Address: Block or allow packets with same source and destination IP address. (Doesn't apply to loopback interface.)Maximum TCP Connections: Maximum simultaneous TCP Connections.Maximum UDP Connections: Maximum simultaneous UDP Connections.Maximum ICMP Connections: Maximum simultaneous ICMP Connections.Maximum Events per Second: Maximum number of events that can be written per second.TCP MSS Limit: The MSS is the Maximum Segment Size (or largest amount of data) that can be sent in a TCP packet without being fragmented. This is usually established when two computers establish communication. However, in some occasions, the traffic goes through a router or switch that has a smaller MSS. In this case the MSS can change. This causes retransmission of the packets and the agent or appliance logs them as "Dropped Retransmit". In cases where there are large numbers of dropped retransmit event entries, you may wish to lower this limit and see if the volume is reduced. Number of Event Nodes: The maximum amount of kernel memory the driver will use to store log/event information for folding at any one time. Event folding occurs when many events of the same type occur in succession. In such cases, the agent/appliance will "fold" all the events into one. Ignore Status Code: This option lets you ignore certain types of events. If, for example, you are getting a lot of "Invalid Flags" you can simply ignore all instances of that event.Ignore Status Code: Same as above.Ignore Status Code: Same as above.Advanced Logging Policy:Bypass: No filtering of events. Overrides the "Ignore Status Code" settings (above) and other advanced settings, but does not override logging settings defined in the Deep Security Manager. For example, if firewall stateful configuration logging options set from a Firewall Stateful Configuration Properties window in the Deep Security Manager will not be affected.Normal: All events are logged except dropped retransmits.Default: Will switch to "Tap Mode" (below) if the engine is in tap mode, and will switch to "Normal" (above) if the engine is in inline mode. Backwards Compatibility Mode: For support use only.Verbose Mode: Same as "Normal" but including dropped retransmits.Stateful and Normalization Suppression: Ignores dropped retransmit, out of connection, invalid flags, invalid sequence, invalid ack, unsolicited udp, unsolicited ICMP, out of allowed policy.Stateful, Normalization, and Frag Suppression: Ignores everything that "Stateful and Normalization Suppression" ignores as well as events related to fragmentation.Stateful, Frag, and Verifier Suppression: Ignores everything "Stateful, Normalization, and Frag Suppression" ignores as well as verifier-related events.Tap Mode: Ignores dropped retransmit, out of connection, invalid flags, invalid sequence, invalid ack, max ack retransmit, packet on closed connection. For a more comprehensive list of which events are ignored in Stateful and Normalization Suppression; Stateful, Normalization, and Frag Suppression; Stateful, Frag, and Verifier Suppression; and Tap modes, see Reduce the number of logged events. Silent TCP Connection Drop: When Silent TCP Connection Drop is on, a RST packet is only sent to the local stack. No RST packet is sent on the wire. This reduces the amount of information sent back to a potential attacker. If you enable the Silent TCP Connection Drop you must also adjust the DISCONNECT Timeout. Possible values for DISCONNECT Timeout range from 0 seconds to 10 minutes. This must be set high enough that the connection is closed by the application before it is closed by the Deep Security agent/appliance. Factors that will affect the DISCONNECT Timeout value include the operating system, the applications that are creating the connections, and network topology. Enable Debug Mode: When in debug mode, the agent/appliance captures a certain number of packets (specified by the setting below: Number of Packets to retain in Debug Mode). When a rule is triggered and debug mode is on, the agent/appliance will keep a record of the last X packets that passed before the rule was triggered. It will return those packets to the manager as debug events. Debug mode can very easily cause excessive log generation and should only be used under Client Services supervision.Number of Packets to retain in Debug Mode: The number of packets to retain and log when debug mode is on.Log All Packet Data: Record the packet data for events that are not associated with specific firewall or intrusion prevention rules. That is, log packet data for events such as "Dropped Retransmit" or "Invalid ACK". Events that have been aggregated because of event folding cannot have their packet data saved.Log only one packet within period: If this option is enabled and Log All Packet Data is not, most logs will contain only the header data. A full packet will be attached periodically, as specified by the Period for Log only one packet within period setting.Period for Log only one packet within period: When Log only one packet within period is enabled, this setting specifies how often the log will contain full packet data.Maximum data size to store when packet data is captured: The maximum size of header or packet data to be attached to a log.Generate Connection Events for TCP: Generates a firewall event every time a TCP connection is established.Generate Connection Events for ICMP: Generates a firewall event every time an ICMP connection is established.Generate Connection Events for UDP: Generates a firewall event every time a UDP connection is established.Bypass CISCO WAAS Connections: This mode bypasses stateful analysis of TCP sequence numbers for connections initiated with the proprietary CISCO WAAS TCP option selected. This protocol carries extra information in invalid TCP Sequence and ACK numbers that interfere with stateful firewall checks. Only enable this option if you are using CISCO WAAS and you are seeing connections with Invalid SEQ or Invalid ACK in the firewall logs. When this option is selected, TCP stateful sequence number checks are still performed for non WAAS enabled connections.Drop Evasive Retransmit: Incoming packets containing data that has already been processed will be dropped to avoid possible evasive retransmit attack techniques.Verify TCP Checksum: The segment's checksum field data will be used to assess the integrity of the segment.Minimum Fragment Offset: Defines the minimum acceptable IP fragment offset. Packets with offsets less than this will be dropped with reason "IP fragment offset too small". If set to 0 no limit is enforced. (default 60)Minimum Fragment Size: Defines the minimum acceptable IP fragment size. Fragmented packets that are smaller than this will be dropped with reason "First fragment too small" as potentially malicious. (default 120)SSL Session Size: Sets the maximum number of SSL session entries maintained for SSL session keys.SSL Session Time: Sets how long SSL session renewal keys are valid before they expire.Filter IPv4 Tunnels: Not used by this version of Deep Security.Filter IPv6 Tunnels: Not used by this version of Deep Security.Strict Teredo Port Check: Not used by this version of Deep Security.Drop Teredo Anomalies: Not used by this version of Deep Security.Maximum Tunnel Depth: Not used by this version of Deep Security.Action if Maximum Tunnel Depth Exceeded: Not used by this version of Deep Security.Drop IPv6 Extension Type 0: Not used by this version of Deep Security.Drop IPv6 Fragments Lower Than minimum MTU: Drop IPv6 fragments that do not meet the minimum MTU size specified by IETF RFC 2460.Drop IPv6 Reserved Addresses: Drop these reserved addresses: IETF reserved 0000::/8IETF reserved 0100::/8IETF reserved 0200::/7IETF reserved 0400::/6IETF reserved 0800::/5IETF reserved 1000::/4IETF reserved 4000::/2IETF reserved 8000::/2IETF reserved C000::/3IETF reserved E000::/4IETF reserved F000::/5IETF reserved F800::/6Drop IPv6 Site Local Addresses: Drop site local addresses FEC0::/10.Drop IPv6 Bogon Addresses: Drop these addresses: "loopback ::1"IPv4 compatible address", ::/96"IPv4 mapped address" ::FFFF:0.0.0.0/96"IPv4 mapped address", ::/8"OSI NSAP prefix (deprecated by RFC4048)" 0200::/7"6bone (deprecated)", 3ffe::/16"Documentation prefix", 2001:db8::/32 Drop 6to4 Bogon Addresses: Drop these addresses: "6to4 IPv4 multicast", 2002:e000:: /20"6to4 IPv4 loopback", 2002:7f00:: /24"6to4 IPv4 default", 2002:0000:: /24"6to4 IPv4 invalid", 2002:ff00:: /24"6to4 IPv4 10.0.0.0/8", 2002:0a00:: /24 "6to4 IPv4 172.16.0.0/12", 2002:ac10:: /28"6to4 IPv4 192.168.0.0/16", 2002:c0a8:: /32Drop IP Packet with Zero Payload: Drop IP packets that have a zero-length payload. Drop Unknown SSL Protocol: Drop connection if a client attempts to connect to the Deep Security Manager with the wrong protocol. By default, any protocol other than "http/1.1" will cause an error.Force Allow DHCP DNS: Controls whether the following hidden firewall rules are enabled: Rule typePriorityDirectionProtocolSourceportDestinationportForce Allow4OutgoingDNSAny53Force Allow4OutgoingDHCP6867Force Allow4IncomingDHCP6768When the rules are enabled, agent computers can connect with the manager using the listed protocols and ports. The following values for this property are available:Inherited: Inherits the setting from the policyTurn off rules: Disables the rules. Note that this setting can cause agent computers to appear offlineAllow DNS Query: Enable only the DNS-related ruleAllow DNS Query and DHCP Client: Enable all 3 rulesForce Allow ICMP type3 code4: Controls whether the following hidden firewall rules are enabled: Rule typePriorityDirectionProtocolTypeCodeForce Allow4IncomingICMP34When enabled, these rules allow relay computers to connect with the manager so that the relay's heartbeat is transmitted. The following values are available:Inherited: Inherits the setting from the policy. Turn off rules: Disables the rule. This value can cause connection timeouts or "Destination cannot be reached" responses.Add Force Allow rule for ICMP type3 code4: Enables the rule.Fragment Timeout: If configured to do so, the intrusion prevention rules will inspect the content of a packet (or packet fragment) if that content is considered suspicious. This setting determines how long after inspecting to wait for the remaining packet fragments before discarding the packet.Maximum number of fragmented IP packets to keep: Specifies the maximum number of fragmented packets that Deep Security will keep.Send ICMP to indicate fragmented packet timeout exceeded: When this setting is enabled and the fragment timeout is exceeded, an ICMP packet is sent to the remote computer..
114 Max Incoming Connections The number of incoming connections has exceeded the maximum number of connections allowed. See the "Enable TCP stateful inspection" property in TCP Packet Inspection.
115 Max Outgoing Connections The number of outgoing connections has exceeded the maximum number of connections allowed. See the "Enable TCP stateful inspection" property in TCP Packet Inspection.
116 Max SYN Sent The number of half open connections from a single computer exceeds that specified in the firewall stateful configuration. See the "Limit the number of half-open connections from a single computer to" property in TCP Packet Inspection.
117 License Expired  
118 IP Version Unknown An IP packet other than IPv4 or IPv6 was encountered.
119 Invalid Packet Info  
120 Internal Engine Error Insufficient system memory. Add more system resources to fix this issue.
121 Unsolicited UDP Incoming UDP packets that were not solicited by the computer are rejected.
122 Unsolicited ICMP ICMP stateful has been enabled (in firewall stateful configuration) and an unsolicited packet that does not match any Force Allow rules was received.
123 Out Of Allowed Policy The packet does not meet any of the Allow or Force Allow rules and so is implicitly denied.
124 Invalid Port Command An invalid FTP port command was encountered in the FTP control channel data stream.
125 SYN Cookie Error The SYN cookies protection mechanism encountered an error.
126 Invalid Data Offset Invalid data offset parameter.
127 No IP Header The packet IP header is invalid or incomplete.
128 Unreadable Ethernet Header Data contained in this Ethernet frame is smaller than the Ethernet header.
129 Undefined  
130 Same Source and Destination IP Source and destination IPs were identical.
131 Invalid TCP Header Length  
132 Unreadable Protocol Header The packet contains an unreadable TCP, UDP or ICMP header.
133 Unreadable IPv4 Header The packet contains an unreadable IPv4 header.
134 Unknown IP Version Unrecognized IP version.
135 Invalid Adapter Configuration An invalid adapter configuration has been received.
136 Overlapping Fragment This packet fragment overlaps a previously sent fragment.
138 Packet on Closed Connection A packet was received belonging to a connection already closed.
139 Dropped Retransmit

The network engine detected a TCP Packet that overlaps with data already received on the same TCP connection but does not match the already-received data. (The network engine compares the packet data that was queued in the engine’s connection buffer to the data in the packet that was re-transmitted.)

The network engine reconstructs the sequenced data stream of each TCP connection it processes. The sequence number and length in the received packet specify a specific region in this data stream. The note field in the log indicates the location of the changed content in the TCP stream: prev-full, prev-part, next-full and next-part:

  • "prev-full" and "prev-part": The changed area is in the packet that immediately precedes the retransmitted packet in the sequenced data stream. "prev-full" indicates that the changed area is completely contained in the packet which immediately precedes the retransmitted packet in the sequenced data stream. Otherwise, the note is "prev-part".
  • “next-full” and “next-part": The changed area is in the packet that immediately follows the retransmitted packet in the sequenced data stream. "next-full" indicates that the changed area is completely contained in the packet that immediately follows the retransmitted packet in the sequenced data stream. Otherwise, the note is "next-part".
140 Undefined  
141 Out of Allowed Policy (Open Port)  
142 New Connection Initiated  
143 Invalid Checksum  
144 Invalid Hook Used  
145 IP Zero Payload  
146 IPv6 Source Is Multicast  
147 Invalid IPv6 Address  
148 IPv6 Fragment Too Small  
149 Invalid Transport Header Length  
150 Out of Memory  
151 Max TCP Connections The maximum number of TCP connections has been exceeded. See Increase the maximum allowed TCP connections.
152 Max UDP Connections  
200 Region Too Big A region (edit region, uri etc) exceeded the maximum allowed buffering size (7570 bytes) without being closed. This is usually because the data does not conform to the protocol.
201 Insufficient Memory The packet could not be processed properly because resources were exhausted. This can be because too many concurrent connections require buffering (max 2048) or matching resources (max 128) at the same time or because of excessive matches in a single IP packet (max 2048) or simply because the system is out of memory.
202 Maximum Edits Exceeded The maximum number of edits (32) in a single region of a packet was exceeded.
203 Edit Too Large Editing attempted to increase the size of the region above the maximum allowed size (8188 bytes).
204 Max Matches in Packet Exceeded There are more than 2048 positions in the packet with pattern match occurrences. An error is returned at this limit and the connection is dropped because this usually indicates a garbage or evasive packet.
205 Engine Call Stack Too Deep  
206 Runtime Error Runtime error.
207 Packet Read Error Low level problem reading packet data.
300 Unsupported Cipher An unknown or unsupported cipher suite has been requested.
301 Error Generating Master Key(s) Unable to derive the cryptographic keys, Mac secrets, and initialization vectors from the master secret.
302 Record Layer Message (not ready) The SSL state engine has encountered an SSL record before initialization of the session.
303 Handshake Message (not ready) The SSL state engine has encountered a handshake message after the handshake has been negotiated.
304 Out Of Order Handshake Message A well formatted handshake message has been encountered out of sequence.
305 Memory Allocation Error The packet could not be processed properly because resources were exhausted. This can be because too many concurrent connections require buffering (max 2048) or matching resources (max 128) at the same time or because of excessive matches in a single IP packet (max 2048) or simply because the system is out of memory.
306 Unsupported SSL Version A client attempted to negotiate an SSL V2 session.
307 Error Decrypting Pre-master Key Unable to un-wrap the pre-master secret from the ClientKeyExchange message.
308 Client Attempted to Rollback A client attempted to rollback to an earlier version of the SSL protocol than that which was specified in the ClientHello message.
309 Renewal Error An SSL session was being requested with a cached session key that could not be located.
310 Key Exchange Error The server is attempting to establish an SSL session with temporarily generated key.
311 Maximum SSL Key Exchanges Exceeded The maximum number of concurrent key exchange requests was exceeded.
312 Key Too Large The master secret keys are larger than specified by the protocol identifier.
313 Invalid Parameters In Handshake An invalid or unreasonable value was encountered while trying to decode the handshake protocol.
314 No Sessions Available  
315 Compression Method Unsupported  
316 Unsupported Application-Layer Protocol An unknown or unsupported SSL Application-Layer Protocol has been requested.
500 URI Path Depth Exceeded Too many "/" separators. Max 100 path depth.
501 Invalid Traversal Tried to use "../" above root.
502 Illegal Character in URI Illegal character used in uri.
503 Incomplete UTF8 Sequence URI ended in middle of utf8 sequence.
504 Invalid UTF8 encoding Invalid or non-canonical encoding attempt.
505 Invalid Hex Encoding %nn where nn are not hex digits.
506 URI Path Length Too Long Path length is greater than 512 characters.
507 Invalid Use of Character Use of disabled characters
508 Double Decoding Exploit Double decoding exploit attempt (%25xx, %25%xxd, etc).
700 Invalid Base64 Content Packet content that was expected to be encoded in Base64 format was not encoded correctly.
710 Corrupted Deflate/GZIP Content Packet content that was expected to be encoded in Base64 format was not encoded correctly.
711 Incomplete Deflate/GZIP Content Incomplete Deflate/GZIP content
712 Deflate/GZIP Checksum Error Deflate/GZIP checksum error.
713 Unsupported Deflate/GZIP Dictionary Unsupported Deflate/GZIP dictionary.
714 Unsupported GZIP Header Format/Method Unsupported GZIP header format or method.
801 Protocol Decoding Search Limit Exceeded A protocol decoding rule defined a limit for a search or pdu object but the object was not found before the limit was reached.
802 Protocol Decoding Constraint Error A protocol decoding rule decoded data that did not meet the protocol content constraints.
803 Protocol Decoding Engine Internal Error  
804 Protocol Decoding Structure Too Deep A protocol decoding rule encountered a type definition and packet content that caused the maximum type nesting depth (16) to be exceeded.
805 Protocol Decoding Stack Error A rule programming error attempted to cause recursion or use to many nested procedure calls.
806 Infinite Data Loop Error