Summary
A solution to the issue of receiving a warning about excessive accesses to an IP address.
Problem
I have warning messages in the system log similar to "1D073503: Caution: have detected 200 accesses to IP Address 206.219.67.2
" in the last 15 minutes’
Solution
There are two resolution options available:
Option One
Stop the system responding to those messages
You need to change the following 3 options:
Network > Settings > Advanced > Bad External Traffic - Currently Reject, Change to Drop.
Network > Firewall > Firewall rules > Catch-all Section > Default rule - Currently set to Reject, change it to Drop.
Changing from Reject to Drop means the remote device making the requests no longer gets a response telling it it's been rejected. This may help reduce volume of hits on ports if that remote device either gives up trying to send, or takes a long time to time-out between requests.
Dropping traffic, particularly on an internal interface, can have a negative effect of making it harder to troubleshoot problems.
Note: This options doesn't actually affect the alerts directly.
Option Two
Configure Alerts:
Reports > Alerts > Alert settings > Firewall Notifications, increase the 4 incident threshold values from the default, for example change from 200 to 2000.
Note: This option will directly change how frequently alerts are generated.