ISA Server 2006: Firewall - Dropped Packets Per Sec Performance Monitor Monitor

  • ID:  Microsoft.ISAServer.2006.Firewall.ServerRole.DroppedPacketsPerSec
  • Description:  Monitors the packets dropped per second on ISA Server 2006 Firewall
  • Target:  Microsoft ISA Server 2006 Firewall Role
  • Enabled:  On Essential Monitoring

Operational States

Name State Description
Over Threshold Error This is the Monitor State Value for Over Threshold.
Under Threshold Success This is the Monitor State Value for Under Threshold.

Overridable Parameters

Parameter Name Default Value Description Override
Frequency 300  
Threshold 200  

Alert Details

Monitor State Message Priority Severity Auto Resolution
Over Threshold (Error) ISA Server 2006: Dropped Packets Per Sec reach Threshold. Medium Warning No

Run As Profiles

Name
Default

Monitor Knowledgebase

Summary

Monitors the packets dropped per second on ISA Server 2006 Firewall.

Causes

This monitor checks for Number of denied packets per second. The Expected value is no more than 100. Indicates either a network misconfiguration or an attack. Use the ISA Server log to identify the actual condition.

Resolutions

Security problems affecting ISA Server performance are DoS and DDoS attacks. These attacks are characterized by the full consumption of one or more resources of ISA Server. From a performance view, there is no difference between a capacity problem and a security problem, because in both cases the performance of ISA Server suffers due to a resource bottleneck. Still, there are many indications that can lead to a conclusion that the source of a performance problem is a security incident.

ISA Server uses various mechanisms to automatically detect and block security incidents that lead to DoS conditions:

  • TCP SYN attacks. Automatic detection and protection.

  • UDP or raw IP flood. Automatic detection and protection by use of per-rule connection quota.

  • Virus or worm propagation. Automatic detection and protection by use of per-IP connection quota.

In these cases, alerts are triggered, enabling the ISA Server administrator to examine the nature and source of the attack, and use preventive measures to eliminate it.

Identifying a DoS or DDoS attack requires input from all monitoring sources:

  • Performance counters show how much a resource is consumed, as well as other numbers that have suspect levels triggering further examination with other sources.

  • ISA Server logs show irregular denial patterns that correlate with a set of ports or IP addresses that are denied access. In most cases, looking at the ISA Server logs provides the necessary information to identify and solve a security incident.

  • Network captures can also show irregular traffic patterns but at the lower network level. Use network captures in cases where ISA Server logs do not provide adequate information.

When identifying a DoS security incident that is not automatically detected and blocked by ISA Server, contact Microsoft Help and Support.

External References
This monitor does not contain any external references.

See Also for Internet Security and Acceleration (ISA) Server Management Pack


Downloads for Internet Security and Acceleration (ISA) Server Management Pack

AZURE OPTIMIZATION ASSESSMENT GET STARTED
MIGRATION TO AZURE GET STARTED
SYSTEM CENTER MIGRATION TO AZURE GET STARTED
MIGRATION TO AZURE FOR SQL AND WINDOWS 2008 GET STARTED