If it’s totally inaccessible you could bring it offline first then check the log. To confirm your suspect on DOS attack you could monitor the traffic on your network.

For the second question, assuming the ICMP echo is not blocked to the DNS, if you can’t ping the DNS then the client won’t be able to resolve the webpage. Let’s go back to the network layer then, is the subnet mask correct? any firewall in between the client and the DNS?

Like the other said, some of your windows
machine must be infected by virus, do windows
update on all the machine. Use ethereal to identify
how many machine being infected

Update the virus pattern file, reboot all those
machine in safe mode and do a virus scan.

Hi there,
I agree with the previous posts about the first question, but want to add the following, try to limit accessing the management software of the firewall to your internal machines or a single machine in your internal LAN, don’t allow it on the WAN connection.

I didn’t work with Sonicwall myself, anyway sometimes firewalls hangs or become jammed, so try to restart it.

Moniroring the traffic using Ethereal will be very hard especially if the ammount of data passing is to much, and it will not be that much effective if you run it on a machine behind the the firewall if you have a switched environment because it will not receive any thing, it must be installed on the gateway, the Sonicwall, i don’t know if this is possible or not.

Another problem with sniffers such as Ethereal will be that you will need to know exactly what you should receive and what you should not receive, and to understand packets to judge whether there is an attack or not. If you know the kind of traffic you want then it will greatly help you.

Regarding the second question, try to ping http://www.yahoo.com specificly from any machine that is working fine, you should get a reply, record the IP Address and ping that IP from the user that is experincing troubles, If pinging by IP works but with name doesn’t work, then this is a name resolution problem, but if pinging by IP also doesn’t work, then its either a TCP/IP configuration problem, or may be somekind of firewall is blocking that user, does he have any firewall progams installed? especially McAfee stupid firewall?

Hi..i think the main problem is cause by a virus or Dos attack.The firewall is overwhelm already and it cant process.I think you dont have no choice but to power off the firewall or you can disconnect the connection facing your local area network and check the logging.I believe that every firewall there is a logging.Check the ip address that is constantly going outside or inside.If the firewall is connected to a switch.Check the switch if it is capable to do ip accounting in that way you can easily pinpoint what is the ip address that is constantly going outside or inside.Mostly the cause of this kind of problem is a Dos attack but for now is we can just assume.
First thing to do is disconnect your inside connection
then connect one pc to your firewall and download stinger.
The site is http://vil.nai.com/vil/stinger/ after you download i would suggest that you copy this to all of your computer and scan it if this is applicable.After you scan do the patching cause i believe some of your computer is not updated.Always always update your windows software.Nxt thing to do is download the AVG viruscan.It is a freeware viruscan.It is better to have anti virus rather than nothing at all and if you want more security you can download Zonealarm.

For your second question…try to ping yahoo.com the ip address is 66.94.234.13 …hmmm..wait im not sure if you can ping outside cause most of the firewall icmp is not allowed.Try to see if all the ip address was configured correctly by doing ipconfig /all at command prompt.
Note: I would suggest that before you connect your pc to the internet you should patch or update first so that you would not get a lot of virus.

Additional: If you find the ip address that is causing the problem.The easiest way to do is do a blocking policy to your firewall.Incase that you find that it is your inside ip address do a blocking policy also and trace the computer and disconnect it to your network.Check for virus and apply patches if it is not updated.As for me i think the cause of the problem is in your inside network computer.If you cannot trace it then do the manual thing and this is the hardest thing to do.Disconnect all your computer connection to the switch and put it one at a time you can only do this if you dont have a lot of computers otherwise you download the software that they are suggesting.

For you second question, I have seen the same symptoms when the sonic wall was out of licenses. You can restart the sonic wall to reset the licenses.

We experienced something very similar with a Sonicwall appliance a while ago. Apparently there is a magic number of concurrent connections that will hang a Sonicwall- in our case it was in the 20,400 range. By using a browser to access the Admin screens in the appliance from the lan side we were able to see the number of current connections. We then used Ethereal to determine what IP address(es) these connections were coming from. It turned out that a virus had been introduced behind our firewall by a careless connection to the network of a laptop that had come back from a recent trip overseas. This particular virus spawned multiple threads as ftp connections. After cleaning up the virus on the source machine we had to chase down a few other machines that had been hit by the same exploit as it spread within the network. We then checked each for the most recent Windows updates and patched them. We also sent a sample to our antivirus vendor who returned a modified signature file to put in place on our centralized distribution system.

It was a whole bunch of agravation for a few days as we tracked down remnants, but all in all it could have been worse. And we now have a policy that machines that have been on trips are not allowed to be reconnected to the network until IT runs a standalone virus scan on them!

Another item that you may want to look at is to segment your FW on another segment/subnet/vlan as this will enable to cut the entire network off from access easily while you can connect on the same subnet and troubleshoot. Additionally this will allow you a bit more security as you can then place ACL’s against this routed interface.

Once real nasty virus that our organization has just been hit with hammers ports 445 and 11768. This has been identified by two vendors as dipnet variant. Watch the FW logs for any jump or increase in size as this could be indicative of excessive packets being dropped and logged.

cheers,