https://community.checkpoint.com/t5/Firewall-and-Security-Management/Excessive-Denies-from-a-source-ip/m-p/142551#M25272 <P>It sounds like the firewall is doing its job. However if you are concerned about all the drops coming from single source IP address, this is a great use case for enabling the SecureXL penalty box which can very efficiently start blocking this type of traffic, and avoid the overhead of a full rulebase lookup for every dropped packet.&nbsp; See section 9 of this SK:</P> <P><A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk112454&amp;partition=Advanced&amp;product=SecureXL," target="_blank">sk112454: How to configure Rate Limiting rules for DoS Mitigation (R80.20 and higher)</A></P> <P>&nbsp;</P> Sat, 26 Feb 2022 15:37:31 GMT Timothy_Hall 2022-02-26T15:37:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Excessive-Denies-from-a-source-ip/m-p/142530#M25270 <P>We have recently set up SOC monitoring for our R80.40 Gateways. There have been constant alerts related to excessive denies from a single source or excessive prevent action logged by IPS.</P><P>My query is if the action is drop/reject or prevent for either neutral reputation or malicious reputation... are these kind of alerts relevant enough to be addressed or they are best left unattended considering Firewall on its own is taking care of these.</P><P>Or do i need to worry about Firewall Health or look at if a certain benchmark has been breached from a single source . for example : if there are more than150k or 100k hits from a single source then i should check certain things such as Firewall Health , Memory etc. ?</P> Fri, 25 Feb 2022 16:34:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Excessive-Denies-from-a-source-ip/m-p/142530#M25270 LostBoY 2022-02-25T16:34:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Excessive-Denies-from-a-source-ip/m-p/142533#M25271 <P>You can make IPS exception for it, or SAM rule to block it, but it sounds like the firewall is doing its job.</P> Fri, 25 Feb 2022 18:38:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Excessive-Denies-from-a-source-ip/m-p/142533#M25271 the_rock 2022-02-25T18:38:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Excessive-Denies-from-a-source-ip/m-p/142551#M25272 <P>It sounds like the firewall is doing its job. However if you are concerned about all the drops coming from single source IP address, this is a great use case for enabling the SecureXL penalty box which can very efficiently start blocking this type of traffic, and avoid the overhead of a full rulebase lookup for every dropped packet.&nbsp; See section 9 of this SK:</P> <P><A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk112454&amp;partition=Advanced&amp;product=SecureXL," target="_blank">sk112454: How to configure Rate Limiting rules for DoS Mitigation (R80.20 and higher)</A></P> <P>&nbsp;</P> Sat, 26 Feb 2022 15:37:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Excessive-Denies-from-a-source-ip/m-p/142551#M25272 Timothy_Hall 2022-02-26T15:37:31Z