Users failed to access the Internet after attack defense was configured on the firewall.
firewall defend land enable
firewall defend smurf enable
firewall defend fraggle enable
firewall defend winnuke enable
firewall defend ip-spoofing enable
firewall defend route-record enable
firewall defend time-stamp enable
firewall defend ping-of-death enable
Run the undo firewall defend ip-spoofing enable command to disable IP-spoofing attack defense.
1. Query session information based on the client IP address on the firewall. No session information is displayed on the firewall. The possible cause is that the client does not send packets to the firewall or the firewall discards received packets.
[USG9000] display firewall session table verbose source inside 10.244.1.130
Info: Current total sessions: 0
The problem occurred after the configuration of attack defense and was resolved after the attack defense commands were deleted. It is preliminarily determined that the packets were discarded due to attack defense.
2. Check the logs of the firewall. It is found that the firewall has IP-spoofing attack logs, and the attack IP address is the IP address of the Internet access user. It can be determined that the user packets are discarded by the anti-spoofing mechanism of the firewall.
SEC/4/ATCKDF(l):AttackType: IP spoof attack; slot: 16; cpu: 1; Receive Interface: Eth-Trunk2.20; from: 10.244.1.130 10.244.0.35 10.244.3.80 10.244.1.58 10.244.1.154 10.244.3.96 10.244.3.168 10.244.0.123; to: 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52; begin time: 2013-12-13 17:05:18; end time: 2013-12-13 17:05:37; total packets: 764
With the anti-spoofing mechanism, the firewall searches routes based on the source address of a packet and checks whether the outgoing interface of the route is the same as the incoming interface of the packet. If yes, the firewall considers it as an attack packet and discards it.
Based on the attack log, the firewall receives the packet at Eth-Trunk2.20, but the outgoing interface of the route for 10.244.1.130 is Eth-Trunk2.10. The firewall discards the packet as an attack packet.
[USG9000] display ip routing-table 10.244.1.130
10.244.0.0/16 Static 60 0 RD 184.108.40.206 Eth-Trunk2.10