Monitors the packets dropped per second on ISA Server 2006 Firewall
Monitors the packets dropped per second on ISA Server 2006 Firewall.
This monitor checks for Number of denied packets per second. The Expected value is no more than 100. Indicates either a network misconfiguration or an attack. Use the ISA Server log to identify the actual condition.
Security problems affecting ISA Server performance are DoS and DDoS attacks. These attacks are characterized by the full consumption of one or more resources of ISA Server. From a performance view, there is no difference between a capacity problem and a security problem, because in both cases the performance of ISA Server suffers due to a resource bottleneck. Still, there are many indications that can lead to a conclusion that the source of a performance problem is a security incident.
ISA Server uses various mechanisms to automatically detect and block security incidents that lead to DoS conditions:
TCP SYN attacks. Automatic detection and protection.
UDP or raw IP flood. Automatic detection and protection by use of per-rule connection quota.
Virus or worm propagation. Automatic detection and protection by use of per-IP connection quota.
In these cases, alerts are triggered, enabling the ISA Server administrator to examine the nature and source of the attack, and use preventive measures to eliminate it.
Identifying a DoS or DDoS attack requires input from all monitoring sources:
Performance counters show how much a resource is consumed, as well as other numbers that have suspect levels triggering further examination with other sources.
ISA Server logs show irregular denial patterns that correlate with a set of ports or IP addresses that are denied access. In most cases, looking at the ISA Server logs provides the necessary information to identify and solve a security incident.
Network captures can also show irregular traffic patterns but at the lower network level. Use network captures in cases where ISA Server logs do not provide adequate information.
When identifying a DoS security incident that is not automatically detected and blocked by ISA Server, contact Microsoft Help and Support.
To use this monitor, you can override the following parameters:
Enabled - Turn on or off this monitor.
Generate Alerts - Set the Flag if alerts are generated for state change conditions.
Autoresolve Alerts - Set the Flag if alerts are auto resolved (reset) for success state change conditions.
Alert Priority - Set the priority of the alerts generated like : High, Medium, Low.
Alert On State - Set the state level to trigger the alert.
Alert Severity - Set the severity of the alerts generated like : Critical, Information, Warning or to Match The Health State.
Threshold - Set the threshold limit to reach before changing state.
Frequency - Set the interval value in seconds.
| Target | Microsoft.ISAServer.2006.Firewall.ServerRole | ||
| Parent Monitor | System.Health.PerformanceState | ||
| Category | PerformanceHealth | ||
| Enabled | True | ||
| Instance Name | ISA Server Firewall Packet Engine | ||
| Counter Name | Dropped Packets/sec | ||
| Frequency | 300 | ||
| Alert Generate | True | ||
| Alert Severity | Warning | ||
| Alert Priority | Normal | ||
| Alert Auto Resolve | False | ||
| Monitor Type | System.Performance.AverageThreshold | ||
| Remotable | True | ||
| Accessibility | Public | ||
| Alert Message |
| ||
| RunAs | Default |
Home<UnitMonitor ID="Microsoft.ISAServer.2006.Firewall.ServerRole.DroppedPacketsPerSec" Accessibility="Public" Target="Microsoft.ISAServer.2006.Firewall.ServerRole" ParentMonitorID="Health!System.Health.PerformanceState" Remotable="true" Priority="Normal" TypeID="Perf!System.Performance.AverageThreshold" ConfirmDelivery="false" Enabled="onEssentialMonitoring">
<Category>PerformanceHealth</Category>
<AlertSettings AlertMessage="Microsoft.ISAServer.2006.Firewall.ServerRole.DroppedPacketsPerSec.AlertMessage">
<AlertOnState>Error</AlertOnState>
<AutoResolve>false</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>Warning</AlertSeverity>
<AlertParameters>
<AlertParameter1>$Data/Context/Value$</AlertParameter1>
</AlertParameters>
</AlertSettings>
<OperationalStates>
<OperationalState ID="OverThreshold" MonitorTypeStateID="OverThreshold" HealthState="Error"/>
<OperationalState ID="UnderThreshold" MonitorTypeStateID="UnderThreshold" HealthState="Success"/>
</OperationalStates>
<Configuration>
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<CounterName>Dropped Packets/sec</CounterName>
<ObjectName>ISA Server Firewall Packet Engine</ObjectName>
<InstanceName/>
<AllInstances>false</AllInstances>
<Frequency>300</Frequency>
<Threshold>200</Threshold>
<NumSamples>5</NumSamples>
</Configuration>
</UnitMonitor>