Management and Reporting.
Sep 07, Reviewing Sonicwall logs this morning and found that three out of my four branch offices have seen"TCP Xmas Tree dropped" in the logs. In all three cases its coming from the same IP address which WHOIS says is somewhere in Russia. Christmas tree packet. In information technology, a Christmas tree packet is a packet with every single option set for whatever protocol is in use. The term derives from a fanciful image of each little option bit in a header being represented by a different-colored light bulb, all turned on, as in"the packet was lit up like a Christmas tree".
Jun 15, I was reviewing the firewall logs today and see many entries stating a TCP Xmas tree packed was dropped. Originating from Amazon located in Canada. Just wondering if anyone else is seeing this type of traffic lately too?
Apr 22, 04/22/ DESCRIPTION: This article describes how to workaround the drop" (Invalid TCP Flag (#2)), Module Id: 25 (network)" due to network issues.
CAUSE: Packets may be perceived as having Invalid TCP flag if packets with SYN+ACK+PSH, instead of SYN+ACK, are received. Packets may get to the SonicWall with incorrect sequence.
All Rights Reserved.
TCP SYN/FIN Packet Dropped: FLASHING YELLOW: TCP Xmas Tree Packet Dropped: FLASHING YELLOW: Unauthorized TCP Packet Denied: FLASHING YELLOW: Unauthorized UDP Packet Denied: FLASHING YELLOW: Unauthorized ICMP Packet Denied: FLASHING YELLOW: Website Accessed: FLASHING YELLOW: Website Blocked: MAJOR ALARM: FLASHING RED: TCP SYN/FIN/RST Flood. Enable TCP checksum enforcement – If an invalid TCP checksum is calculated, the packet will be dropped.
Default TCP Connection Timeout – The default time assigned to Access Rules for TCP traffic. If a TCP session is active for a period in excess of this setting, the TCP connection will be cleared by the SonicWALL. SonicWall Log Shows Possible FIN Floods.
Setting this value too low can decrease performance when the SYN Proxy is always enabled.
08/17/ 67 DESCRIPTION: SonicWall Log Shows Possible FIN Floods. RESOLUTION: Navigate to Investigate Logs Event Logs entries show possible FIN Flood as shown below. 01/14/ - Alert - Intrusion Prevention - Possible FIN Flood on IF X0 - src: dst: -.