topic AIOps alerts and penalty box configuration in Firewall and Security Management

AIOps alerts and penalty box configuration

Scott_Paisley — Tue, 12 May 2026 09:08:14 GMT

We recently enabled AIOps. We are now getting ferequenst alerts of the following type

Rulebase drop spike caused by a burst of blocked traffic not a policy or gateway fault.

Rulebase drops rose sharply at 19:33Z and stayed very high for about 20 minutes with no policy change. This points to a burst of unwanted traffic correctly blocked by existing rules not a gateway failure.

Recommendations:

Implement SecureXL-based DoS defenses including Rate Limiting rules and Penalty Box to block abusive traffic earlier. (sk112241)

We understand this is due to scanning activity directed against standby members in our gateway clusters, and all the traffic is dropped by existing rules, but we followed the recommendations to enable the penalty box and are still seeing these alerts.

Is there an optimal set of penalty box paramaters that would catch this traffic and prevent the AIOps alert from triggering?

Thanks

Re: AIOps alerts and penalty box configuration

Lesley — Tue, 12 May 2026 09:50:16 GMT

Please share pbox configuration so I can have a look.

Re: AIOps alerts and penalty box configuration

Scott_Paisley — Tue, 12 May 2026 09:53:16 GMT

Penalty Box:
Status on
Internal Interfaces off
Monitor-Only off
Log Drops on
Max Notifications Per-Second 100 logs/second
Send TCP Reset off
Timeout for Blocked IPs 180 seconds
Has Blocked IPs no
Log when a new IP is blocked on
Drop rate to trigger on 500 packets/second

Re: AIOps alerts and penalty box configuration

Lesley — Tue, 12 May 2026 11:25:16 GMT

Please check my white paper on this topic:

https://community.checkpoint.com/t5/Firewall-and-Security-Management/Step-by-step-guide-for-penalty-box-R82-and-R81-20/m-p/276593#M105262

Check if you see penatly box becomes active in Smart Console, any drops? Does AIops tell you the ip is doing this? Does this refelect in the penalty box logs?