https://community.checkpoint.com/t5/Firewall-and-Security-Management/SecureXL-dos-feature-adjustment-and-information-collection/m-p/145985#M23115 <P>I believe your "Catch All" rule is taking precedence because it is the most stringent (i.e. enforcing the lowest new-conn-rate and also matching any/any), which is how Threat Prevention policies in general work.&nbsp; What happens if you set the new-conn-rate to 200 or 201 in your Catch All rule?</P> Mon, 11 Apr 2022 15:57:03 GMT Timothy_Hall 2022-04-11T15:57:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SecureXL-dos-feature-adjustment-and-information-collection/m-p/145983#M23114 <P>Hello Community,</P><P>&nbsp;</P><P>I've encountered a special challenge with SecurexL.</P><P>&nbsp;</P><P>I've also opend&nbsp; a SR.</P><P>&nbsp;</P><P>He're the case.</P><P>We had false-positive dos drops, so we had to enable the monitor mode with '<STRONG><EM>fwaccel dos config set --enable-monitor'&nbsp;&nbsp;</EM></STRONG>as described in&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk112454&amp;partition=Advanced&amp;product=SecureXL" target="_self">sk112454</A>.</P><P>&nbsp;</P><P>We've also added rate limit rule like</P><P>fwaccel dos rate add -a d -l r -n "comment 1 " service 6/53 source cidr:&lt;NET1&gt; destination cidr:&lt;NET4&gt; new-conn-rate 200 track source<BR />fwaccel dos rate add -a d -l r -n "comment 2" service 6/53 source cidr:&lt;NET2&gt; destination cidr:&lt;NET4&gt; new-conn-rate 200 track source<BR />fwaccel dos rate add -a d -l r -n "comment 3" service 6/53 source cidr:&lt;NET3&gt; destination cidr:&lt;NET4&gt; new-conn-rate 200 track source<BR />fwaccel dos rate add -a d -l r -n "comment 4 " service 17/53 source cidr:&lt;NET1&gt; destination cidr:&lt;NET4&gt; new-conn-rate 200 track source<BR />fwaccel dos rate add -a d -l r -n "comment 5" service 17/53 source cidr:&lt;NET2&gt; destination cidr:&lt;NET4&gt; new-conn-rate 200 track source<BR />fwaccel dos rate add -a d -l r -n "comment 6" service 17/53 source cidr:&lt;NET3&gt; destination cidr:&lt;NET4&gt; new-conn-rate 200 track source</P><P>'<STRONG>fwaccel dos rate get'&nbsp;</STRONG>shows the correct output like<BR />operation=add uid=&lt;624fcac1,00000000,f96a15ac,00000ffe&gt; target=all timeout=none action=drop log=regular name=&lt;&gt; service=6/53 source=cidr:&lt;NET1&gt; destination=cidr:&lt;NET4&gt; new-conn-rate=200 track=source<BR />operation=add uid=&lt;624fff4a,00000000,f96a15ac,0000583d&gt; target=all timeout=none action=drop log=regular name=&lt;&gt; service=17/53 source=cidr:&lt;NET2&gt; destination=cidr:&lt;NET4&gt; new-conn-rate=200 track=source<BR />operation=add uid=&lt;624fff53,00000000,f96a15ac,00005856&gt; target=all timeout=none action=drop log=regular name=&lt;&gt; service=17/53 source=cidr:&lt;NET1&gt; destination=cidr:&lt;NET4&gt; new-conn-rate=200 track=source<BR />operation=add uid=&lt;624fcac5,00000000,f96a15ac,0000100c&gt; target=all timeout=none action=drop log=regular name=&lt;&gt; service=6/53 source=cidr:&lt;NET3&gt; destination=cidr:&lt;NET4&gt; new-conn-rate=200 track=source<BR />operation=add uid=&lt;624fcc20,00000000,f96a15ac,00001d20&gt; target=all timeout=none action=drop log=regular name=Catch All source=any destination=any new-conn-rate=20 track=source service=any<BR />operation=add uid=&lt;624fff58,00000000,f96a15ac,00005867&gt; target=all timeout=none action=drop log=regular name=&lt;&gt; service=17/53 source=cidr:&lt;NET3&gt; destination=cidr:&lt;NET4&gt; new-conn-rate=200 track=source<BR />operation=add uid=&lt;624fcab8,00000000,f96a15ac,00000fd9&gt; target=all timeout=none action=drop log=regular name=&lt;&gt; service=6/53 source=cidr:&lt;NET2&gt; destination=cidr:&lt;NET4&gt; new-conn-rate=200 track=source</P><P>&nbsp;</P><P>Now the connections got still detected (due monitoring mode), but the logs shows int the SecureXL message:</P><P>'<EM>The packet violated the DOS module's rate limiting rulebase (SecureXL device 0) (policy: 22) (total rules: 1)'</EM></P><P>In the comment section it shows : '<EM>&lt;624fcc20,00000000,f96a15ac,00001d20&gt;</EM>' which refers to the default rule.</P><P>&nbsp;</P><P>SO, tl;dr</P><P>Why the custom rules not working, and why the SecureXL message show only total rules:1?</P><P>&nbsp;</P><P>Follow UP question: Does anyone have a good oneline to show the numer ob new connections to an ip with/without serice: i.e. all new dns requests to 8.8.8.8? The fwaccel dos stats get if not really detailed.</P><P>&nbsp;</P><P>Best Regards</P><P>Christoph Hornung</P> Mon, 11 Apr 2022 15:46:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SecureXL-dos-feature-adjustment-and-information-collection/m-p/145983#M23114 Christoph_Hornu 2022-04-11T15:46:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SecureXL-dos-feature-adjustment-and-information-collection/m-p/145985#M23115 <P>I believe your "Catch All" rule is taking precedence because it is the most stringent (i.e. enforcing the lowest new-conn-rate and also matching any/any), which is how Threat Prevention policies in general work.&nbsp; What happens if you set the new-conn-rate to 200 or 201 in your Catch All rule?</P> Mon, 11 Apr 2022 15:57:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SecureXL-dos-feature-adjustment-and-information-collection/m-p/145985#M23115 Timothy_Hall 2022-04-11T15:57:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SecureXL-dos-feature-adjustment-and-information-collection/m-p/146062#M23135 <P>Thanks, that would explain the behaviour. I will try if we can set up this for testing.</P> Tue, 12 Apr 2022 10:13:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SecureXL-dos-feature-adjustment-and-information-collection/m-p/146062#M23135 Christoph_Hornu 2022-04-12T10:13:46Z