Screen OS

Hello,

I have setup deep inspection on a policy to scan for attacks.  The Juniper SSG-140 detects the attacks, but **does not appear to block** further attacks from the source ip...

set policy id 15 attack "CRITICAL:DHCP:ANOM" action close-server ip-action "close" target "src-ip" timeout 60 

Eventhough the attacks are detected, they keep flowing through to the web server I am trying to protect.

1) How do I make the SSG-140 block future attacks?

2) How do I get a list of blocked IP addresses due to a di attack?

 Thanks!

Confirmed the following with level 2 juniper care rep: 

"The target and the timeout fields under deep inspection setting on a policy apply only to Brute force attacks and not to attacks detected by matching a particular signature. If a normal attack is detected, the firewall will just perform the action on that packet. In case a brute force attack is detected, the firewall would perform the specified action based on the target specified for the specified interval. The table that stores this data is internal and there is no command to view the table. All this information us available in the Concepts and Examples guide that you downloaded during our call. You will find this in Volume 4 --> Chapter 5 --> page132 onwards."

How do we know if the brute force blocking is working? I see a log notification, but I'm not sure exactly when the timeout blocking is being triggered.

For example, I'm blocking on excessive 403 status notices, after 8, but my log fills up with "info" messages that my custom rule has been detected, and I see more than 8 requests per minute on my server. I have no way to know if the netscreen is actually preventing traffic from that IP, but my suspicious is that it's not or else the netscreen logs wouldn't contain more than 8 entries with a minute time period.