Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Protocol violation sig_id

Good Morning,

I'm seeing some random protocol violation messages in one of my customer's logs and I'm trying to figure out what is going on.    This particular message is Firewall - Protocol violation detected with protocol:(NTP-UDP), matched protocol sig_id:(9), violation sig_id:(12). (500).  Is there a place to see what violation sig_id:12 or matched protocol sig_id:9 is referring to?  

This is not in relation to something not working correctly, just a review of log ALERTS and I want to be able to explain it or eliminate it.

Thanks,
Paul

0 Kudos
3 Replies
Highlighted
Sapphire

Re: Protocol violation sig_id

The error message Firewall - Protocol violation detected with protocol:(NTP-UDP) points to an access rule with that predefined service used.

sig_id seems not to be specific for the service, see sk162012 After upgrading Security Gateway from R77.30 to R80.20, ftp-traffic from some Linux-FTP-clients is blocked:

0 Kudos
Highlighted

Re: Protocol violation sig_id

I saw this SK you mention when I was searching.  There is not really anything that is breaking per se.  Its just making a mess of the logs because there are a bunch of "alerts."  In fact they are not even drops.  We just have a routine that reports on all of the "alerts" and then I have to sift through these protocol violations.  Do you know how to fix it?  Is it something I have to do in the rulebase?  OR is there a way to stop alerting on it since they are allows?  I just don't want to stop alerting on something that is worthwhile in order to cut down on noise.  I could easily just not log everything and that would get rid of the noise 🙄  For the most part its UDP4500 and 500 as well as 443/128/25, etc, but then if I eliminate them from the log view there are a bunch of random HO ports with "protocol unknown" in the protocol field.

 

Picture1.png

0 Kudos
Highlighted

Re: Protocol violation sig_id

More to log fields read here:

SK144192 - Log Fields Description 

The signatures are used by the PSL. Unfortunately there is no list for the protocols here.

matched protocol sig_id:(9)   = FTP
violation sig_id:(12)                 = ?

For PSL more read here:  

R80.x - Security Gateway Architecture (Content Inspection)

Tags (1)
0 Kudos