2.72. THRESHOLD

Home Prev	cOS Core 14.00.17 Log Reference Guide	Next

Default Severity: WARNING
Log Message: Connection threshold <description> exceeded <threshold>. Source IP: <srcip>. Closing connection
Explanation: The source ip is opening up new connections too fast.
Firewall Action: closing_connection
Recommended Action: Investigate worms and DoS attacks.
Revision: 1
Parameters: description
threshold
srcip
Context Parameters: Rule Name

Default Severity: INFORMATIONAL
Log Message: Reminder: Connection threshold <description> exceeded <threshold>. Source IP: <srcip>.
Explanation: The source ip is still opening up new connections too fast.
Firewall Action: None
Recommended Action: Look through logs to see if the source ip has misbehaved in the past.
Revision: 1
Parameters: description
threshold
srcip
Context Parameters: Rule Name

Default Severity: NOTICE
Log Message: Connection threshold <description> exceeded <threshold>. Source IP: <srcip>
Explanation: The source ip is opening up new connections too fast.
Firewall Action: None
Recommended Action: Investigate worms and DoS attacks.
Revision: 1
Parameters: description
threshold
srcip
Context Parameters: Rule Name

Default Severity: ERROR
Log Message: Failed to keep connection count. Reason: Out of memory
Explanation: The device was unable to allocate resources needed to include the connection in the connection count kept by threshold rules. The connection will not be included in the connection count.
Firewall Action: None
Recommended Action: Check memory consumption.
Revision: 1
Context Parameters: Connection

Default Severity: ERROR
Log Message: Failed to keep connection count. Reason: Out of memory
Explanation: The device was unable to allocate resources needed to include the connection in the connection count kept by threshold rules. Since there exist protect actions that are triggered by thresholds on the number of connections, the connection will be closed.
Firewall Action: close
Recommended Action: Check memory consumption.
Revision: 1
Context Parameters: Connection

Default Severity: NOTICE
Log Message: The number of connections matching the rule and originating from <srcip> exceeds <threshold>.
Explanation: The number of connections matching the threshold rule and originating from a single host exceeds the configured threshold. Note: This log message is rate limited via an exponential back-off procedure.
Firewall Action: None
Recommended Action: None
Revision: 1
Parameters: threshold
srcip
[username]
Context Parameters: Rule Name

Default Severity: NOTICE
Log Message: The number of connections matching the rule and originating from <srcip> exceeds <threshold>.
Explanation: The number of connections matching the threshold rule and originating from a single host exceeds the configured threshold. The configured protective measures will be triggered. Note: This log message is rate limited via an exponential back-off procedure.
Firewall Action: protect
Recommended Action: None
Revision: 1
Parameters: threshold
srcip
[username]
Context Parameters: Rule Name

Default Severity: NOTICE
Log Message: The number of connections matching the rule exceeds <threshold>. The Offending host is <srcip>.
Explanation: The number of connections matching the threshold rule exceeds the configured threshold. Note: This log message is rate limited via an exponential back-off procedure.
Firewall Action: None
Recommended Action: None
Revision: 1
Parameters: threshold
srcip
[username]
Context Parameters: Rule Name

Default Severity: NOTICE
Log Message: The number of connections matching the rule exceeds <threshold>. The Offending host is <srcip>.
Explanation: The number of connections matching the threshold rule exceeds the configured threshold. The configured protective measures will be triggered. Note: This log message is rate limited via an exponential back-off procedure.
Firewall Action: protect
Recommended Action: None
Revision: 1
Parameters: threshold
srcip
[username]
Context Parameters: Rule Name