Forefront 0xc0040017

Question

I recently began to receive a huge (600 thousand to 2 million per day) number of FWX_E_TCP_NOT_SYN_PACKET_DROPPED, 0xc0040017 entries in my Forefront TMG logs.

If the top 3 source IPs are any indication there is no legitimate traffic to or from the IPs initiating these scans. How can I suppress these from being logged by Forefront?

Unfortunately using a standard suppression rule does not work work. I already had a suppression list in place for certain traffic, including the multicast range. This was at the top of my rule set. The rule listed is 'None - see Result Code', even for traffic being suppressed.

score 1 · Accepted Answer · answered Sep 20 '11 at 13:37

It appears that the Fwengmon tool has been replaced and the netsh tmg commands do not provide a ready way to suppress these alerts. I have moved up the food chain - we collect these logs in Splunk and have Syslog-NG available as a filter. I suppressed these spurious events at the syslog-ng level by blocking the 0xc0040017 code.

score 0 · Answer 2 · answered Sep 07 '11 at 07:38

0

Create an access rule:

Deny / All Traffic / From -> New Computer Set "Blocked Without Logging" -> add the IPs ("computers") to this list / To Anywhere / All Users / Finish.

Order it first in the list, then disable the "Log requests matching this rule" setting - on the General tab, from memory.

answered Sep 07 '11 at 07:38

TristanK

8,953
2
27
39

I'll try that out but I have doubts that it will work. The log entries are all listed as not having a rule applied. – Tim Brigham Sep 07 '11 at 14:23
Gotcha. If it doesn't work, perhaps investigate blocking by Fwengmon. – TristanK Sep 07 '11 at 21:09

Forefront 0xc0040017

2 Answers2

Linked