topic Re: fw samp stopped working in Firewall and Security Management

fw samp stopped working

Scott_Paisley — Tue, 18 May 2021 12:39:25 GMT

I have a ticket open, but thought I would ask here also...

We have been using the ip blocklist feature from sk103154 across all our gateways for some time, and it was working great. Today I found it is not working as expected.

We run the script on the management station every day to enable the feature on the remote gateways, and we have a list of feeds that we use.

One of them is a custom list we maintain.

When I run the script, I get this response from the gateway

ip_block: Malicious IP blocking mechanism is ON

which is the expected result, but when I run the command

fw samp get | grep threatcloud_ip_block | grep 185.53.179.28

I get no result

the log on the gateway says this

Tue May 18 07:58:08 -04 2021 update_feeds
Tue May 18 07:58:08 -04 2021 updating https://xxxx/blacklist.txt
Tue May 18 07:58:08 -04 2021 Not using proxy
Tue May 18 07:58:09 -04 2021 LAST_UPDATE = Last-Modified:Tue18May202111:28:55GMT
Tue May 18 07:58:09 -04 2021 last_update new = Last-Modified:Tue18May202111:28:55GMT
Tue May 18 07:58:09 -04 2021 last_update old = Last-Modified:Tue18May202111:28:55GMT
Tue May 18 07:58:09 -04 2021 old_timeout = 1621337889
Tue May 18 07:58:09 -04 2021 new_timeout_sec = 1621339089
Tue May 18 07:58:09 -04 2021 file name = /opt/CPsuite-R80.40/fw1/database/httpsxxxxblacklisttxt
Tue May 18 07:58:09 -04 2021 last_update_delta = 1260
Tue May 18 07:58:09 -04 2021 samp_rule_timeout = 3600
Tue May 18 07:58:09 -04 2021 samp_delta = 2400
Tue May 18 07:58:09 -04 2021 https://xxxx/blacklist.txt: feed is up to date

and if I CAT the file I see this

add -a d -l r -t 3600 -c threatcloud_ip_block quota service any source range:45.61.138.171 pkt-rate 0
add -a d -l r -t 3600 -c threatcloud_ip_block quota service any source range:45.84.0.127 pkt-rate 0
add -a d -l r -t 3600 -c threatcloud_ip_block quota service any source range:212.109.221.205 pkt-rate 0
add -a d -l r -t 3600 -c threatcloud_ip_block quota service any source range:185.243.214.107 pkt-rate 0
add -a d -l r -t 3600 -c threatcloud_ip_block quota service any source range:104.247.81.52 pkt-rate 0
add -a d -l r -t 3600 -c threatcloud_ip_block quota service any source range:99.83.154.118 pkt-rate 0
add -a d -l r -t 3600 -c threatcloud_ip_block quota service any source range:185.53.177.31 pkt-rate 0
add -a d -l r -t 3600 -c threatcloud_ip_block quota service any source range:185.53.178.30 pkt-rate 0
add -a d -l r -t 3600 -c threatcloud_ip_block quota service any source range:185.53.179.28 pkt-rate 0

which includes the entry I am looking for

Also if I run the command locally, it works

fw samp add -a d -l r -t 3600 -c threatcloud_ip_block quota service any source range:185.53.179.28 pkt-rate 0

fw samp get | grep threatcloud_ip_block | grep 185.53.179.28

operation=add uid=<60a3b4ca,00000000,058ec3a1,000052d4> target=all timeout=3578 action=drop log=log comment=threatcloud_ip_block service=any source=range:185.53.179.28 pkt-rate=0 req_type=quota

Any ideas?

Thanks

Re: fw samp stopped working

PhoneBoy — Thu, 20 May 2021 17:59:44 GMT

How many samp rules do you have?
Also what version/JHF level?

Re: fw samp stopped working

Scott_Paisley — Fri, 21 May 2021 14:19:47 GMT

We have lots.

We run the script to tell the gateways to load the IP lists from website, and we list a number of websites. I have not counted how many IP addresses in total, but this used to be working as far as we could tell

R80.40, JHF102

Re: fw samp stopped working

Timothy_Hall — Fri, 21 May 2021 15:31:34 GMT

What version of code are you using? There have been many changes to these DoS tools in the recent releases, including the phasing out of fw samp in favor of fwaccel dos, which you should definitely migrate to if it is available in your release.

Are you including a flush=true argument with each individual fw samp command or at least with the last one in the script sequence? That is required for the fw samp rules to actually take effect. fwaccel dos does the equivalent of flush=true for every command issued by default. Also be aware that by default DoS rules will only be applied to traffic traversing external interfaces unless you specify otherwise.

Re: fw samp stopped working

Scott_Paisley — Fri, 21 May 2021 15:36:01 GMT

R80.40

We are using the script from sk103154

I am not aware if it has been updated with the new commands

Re: fw samp stopped working

PhoneBoy — Fri, 21 May 2021 23:36:16 GMT

I would review the script you're using to verify it's using the newer commands as mentioned by @Timothy_Hall.
I believe the syntax is even similar, so it may be possible (with a couple changes) to change over to fwaccel dos.

Re: fw samp stopped working

Scott_Paisley — Sat, 22 May 2021 08:53:51 GMT

A search for fwaccel dos leads me to a CLI reference guide that describes this

fwaccel [-i <SecureXL ID>] dos

blacklist <options>

but if I run that command on the gateway I get this

fwaccel dos blacklist -s
The deny list is empty
Note: this command is deprecated (see "fwaccel dos deny").

Re: fw samp stopped working

rachelda — Mon, 24 May 2021 09:57:57 GMT

Hi,

The cache file exists in fwdir\database\cache.bip contains last modified for each feed, GW should load new update every 20 min
In case of you have new IP, the new feed should load in ~20 Min

If this was not the case please open a support ticket with your information.

Thanks

Rachel

Re: fw samp stopped working

Scott_Paisley — Mon, 24 May 2021 09:59:09 GMT

I have a ticket open

Re: fw samp stopped working

Scott_Paisley — Thu, 03 Jun 2021 13:15:14 GMT

This was resolved on a call with TAC and others this morning

The text file on the remote webserver had a space after one of the IP addresses, and this prevents it from working correctly.

Removing the space means that it is working again.

Re: fw samp stopped working

Timothy_Hall — Thu, 03 Jun 2021 14:05:49 GMT

Thanks for the follow-up, that is a subtle one for sure.