Edge SWG Event 580000 Blocked Client Traffic Due to High-Frequency Request Failures
Article ID: 433147
Updated On:
Products
ISG Proxy
ProxySG Software - SGOS
Issue/Introduction
End users intermittently experience connectivity issues to the internet or specific web applications. The Edge SWG Event Log shows Event 580000, indicating that a client IP has been identified as a security risk and is being throttled or blocked at the TCP level.
The following symptoms are observed in the event log:
“Client [IP] has exceeded failure limit” followed by “Client [IP], has exceeded warning limit and is now blocked” (Event 580000)
"HTTP/2 excessive number of stream resets, closing connection" followed by "Client [IP}, authority=[URL]" prior to the block
"Authentication failed from Client [IP]: user [username]"
Environment
Edge SWG
Cause
The issue occurs when the Attack Detection feature is enabled. This feature monitors traffic for patterns that resemble automated threats, such as brute-force or scanning attacks. If it detects a high rate of failed responses from a client in a short time, it flags the client IP as a risk and may throttle or block it at the TCP level—even if those failures result from legitimate activities that inadvertently cause multiple errors.
Resolution
1. Apply CPL policies to exempt known domains and specific HTTP response codes from failure counts:
<Proxy>
; 1. Do not count Authentication challenges (407) as failures
http.response.code=407 attack_detection.failure_weight(0)
; 1. Do not count Authentication challenges (407) as failures
http.response.code=407 attack_detection.failure_weight(0)
; 2. Do not count Policy Denials (403) as failures
http.response.code=403 attack_detection.failure_weight(0)
http.response.code=403 attack_detection.failure_weight(0)
; 3. Exempt specific high-traffic domains known to trigger resets
url.domain=x.y.z.com attack_detection.failure_weight(0)
; Change x.y.z.com to match the domain and add other high-traffic domains as needed
url.domain=x.y.z.com attack_detection.failure_weight(0)
; Change x.y.z.com to match the domain and add other high-traffic domains as needed
2. Adjust Attack Detection Thresholds:
If the issue persists, adjust the global limits to be more permissive.
If the issue persists, adjust the global limits to be more permissive.
Increase Warning Limit: Change from 10 to 20 or 30. It gives more warnings to stop before a hard block.
#(config)attack-detection
#(config attack-detection) client
#(config client) default warning-limit 15
#(config)attack-detection
#(config attack-detection) client
#(config client) default warning-limit 15
Decrease Unblock Time: Change from 30 minutes to 5 or 10 minutes. It reduces the penalty time for blocking.
#(config)attack-detection
#(config attack-detection) client
#(config client) default unblock-time 10
#(config)attack-detection
#(config attack-detection) client
#(config client) default unblock-time 10
Failure Limit: Ensure the limit is set to a maximum of 500.
#(config)attack-detection
#(config attack-detection) client
#(config client)default connection-limit 500
#(config)attack-detection
#(config attack-detection) client
#(config client)default connection-limit 500
Feedback
Yes
No
Powered by
