Firewall 4.2.71.2 Blocking printers, RD,...

I am system admin, and using NOD for more that a year and half. We have 240 licences. Till i updated all to 4.2.71.2 everything was fine.
Now my hole network is blocked. No matter if i add subbnet to Trused zone or not.
I looked at logs of firewall, he blocks after:

identical ip addresses detected in network

That is NOT TRUE. To fix this i had to turn off Block unsafe addresses after attack dectection, but now all pass and IDS is not active any more.

Can somebody help me?

 

What's logged in your firewall log when you enable logging of all blocked connections in the IDS setup? Could you copy & paste some relevant records from the log here?

 

Identical IP addresses detected in network
192.168.3.132
192.168.3.194
ARP


31.5.2011.
12:18:36

Identical IP addresses detected in network
192.168.3.132
192.168.3.194
ARP



31.5.2011.
11:34:03

Identical IP addresses detected in network
192.168.3.132
192.168.3.194
ARP



27.5.2011.
12:25:02

Incorrect IP packet length
192.168.0.11
192.168.3.194
TCP



24.5.2011.
14:48:59

Incorrect IP packet length
192.168.0.15
192.168.3.194
TCP



23.5.2011.
12:22:09

Identical IP addresses detected in network
192.168.3.132
192.168.3.194
ARP



23.5.2011.
9:06:25

Identical IP addresses detected in network
192.168.3.132
192.168.3.194
ARP

here is full brief from ERA:

Column Name Value
Firewall Id Firewall 1298192
Client Name Onetoplay-hp
Computer Name Onetoplay-hp
MAC Address 00232428a57a
Primary Server Master
Date Received 2011-05-31 14:20:42
Date Occurred 2011-05-31 14:06:50
Level Critical Warning
Event Detected ARP cache poisoning attack
Source 192.168.66.249
Target 192.168.66.26
Protocol ARP
Rule
Application
User

Column Name Value
Firewall Id Firewall 1298185
Client Name Onetoplay-hp
Computer Name Onetoplay-hp
MAC Address 00232428a57a
Primary Server Master
Date Received 2011-05-31 14:20:42
Date Occurred 2011-05-31 14:06:38
Level Critical Warning
Event Identical IP addresses detected in network
Source 192.168.66.249
Target 192.168.66.26
Protocol ARP
Rule
Application
User

this also i new:


Column Name Value
Firewall Id Firewall 1298457
Client Name Ri100
Computer Name Ri100
MAC Address 001485a63d27
Primary Server Master
Date Received 2011-05-31 14:55:58
Date Occurred 2011-05-31 14:52:34
Level Warning
Event Detected unexpected data in protocol
Source 192.168.66.41:3831
Target 255.255.255.255
Protocol UDP
Rule
Application
User


Only this i can read from logs

 

If possible, please create 2 logs with the network communication captured using Wireshark; one with fw disabled when everything works fine and the other with fw enabled when the isssue occurs (make sure logging of all blocked connections is actually enabled in the IDS section of the firewall setup).

Export your settings to an xml file and compress it along with the Wireshark logs. When done, let me know and I'll provide you with further instructions.

 

1 st.

1.6.2011. 8:06:24 Identical IP addresses detected in network 192.168.66.250 192.168.66.26 ARP

then

1.6.2011. 8:06:24 Address temporarily blocked by active defense (IDS) 192.168.66.250:3389 192.168.66.26:49258 TCP

------------------------------------------------------

i have logs that u wanted.

 

A PM with further instructions sent.

 

i figured out that if i disable "block unsafe address after attack detection" it work for about 10 min, then block connection for next 10 min. If i disable and "ARP Poison attack detection" then works forever, but it is not good solution.

 

Does it have a static IP? If so you can exclude it from IDS altogether.

 

Then i need to exclude all network printers who are also static. I have about 25 of them and 9 Terminal Servers with same problem.