PDA

View Full Version : Address temporarily blocked by active defense (IDS)

Adam H
June 14th, 2009, 07:32 PM
Hi,

I've been having problems hitting various websites including google.com and youtube.com

Upon checking my logs I've found that the problem is the ESS firewall, and it is blocking connection to these sites due to Address temporarily blocked by active defense (IDS).

These include TCP, UDP and ICMP packets.

I'm using ESS 4153 (20090613)

I have firewall set to Automatic mode with exceptions (user-defined rules)

Does anyone know why I'm getting blocked to these websites?

Thanks & Regards

Adam.
Marcos
June 15th, 2009, 02:35 AM
Have you tried enabling test mode in the update setup?
Adam H
June 15th, 2009, 06:48 PM
-{ Quote: "Have you tried enabling test mode in the update setup?" }-

No - this feature is turned off. Is this able to help me determine the problem, and if so how please?

Thanks

Adam.
trjam
June 15th, 2009, 07:01 PM
It is to update you to the latest firewall. Turn it on, update and then reboot. Hopefully this will resolve your issue.
Adam H
June 17th, 2009, 01:44 AM
Thanks for that. I enabled it and updated, but I'm still getting this problem.

I'm also noticing that it does random stuff, like stops me from connecting to another computer on our network. (I can't even ping another machine on my local network). This problem only happens with some comptuers, but all works as soon as I disable the firewall on my own computer.
Marcos
June 17th, 2009, 02:41 AM
I'd suggest that you do the following in the IDS section of the firewall setup:
1, enable logging of blocked connections (only for debugging purposes)
2, disable "Block unsafe address after attack detection"

When you encounter the problem you've described, open the firewall log for details about blocked connections (you might need to disable logging blocked connections first). You can post the log here or contact customer care. Please also enclose the information about installed modules (Help -> About).
Adam H
June 17th, 2009, 07:34 PM
Hi Marcos,

Thank you for your reply. Disabling "Block unsafe address after attack detection" has now allowed me to view the machines I couldn't on my local network before.

I have attached a copy of my log file for the last coupe of days... (Although I had to rename to .txt because it I couldn't upload a .xml).

Thanks & Regards

Adam.