https://community.checkpoint.com/t5/Firewall-and-Security-Management/SmartEvent-block-action-hit-SAM-limitation/m-p/152195#M25339 <P>Pretty sure fw samp also has a (likely higher) limit, so not sure moving it to that mechanism is the right answer.<BR />In any case, this probably requires an RFE to come up with the best approach.</P> Fri, 01 Jul 2022 15:17:31 GMT PhoneBoy 2022-07-01T15:17:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SmartEvent-block-action-hit-SAM-limitation/m-p/151435#M24728 <P>Hello,</P> <P>&nbsp;</P> <P>For a while we had SmartEvents enabled and for certain "unwanted activities/traffic like scans or others" and we were triggering a block for 1 hour to 8 hours.&nbsp;</P> <P>All was good for a while, until we noticed some "Failed to add the following dynamic (SAM) rule" in logs. While investigating we found that the SAM is somehow limited to 1000Kbyte, and in some situations we were filling that quickly.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Untitled.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/17001i0F72709E5953D73F/image-size/medium?v=v2&amp;px=400" role="button" title="Untitled.png" alt="Untitled.png" /></span></P> <P>&nbsp;</P> <P>So we were checking for a while and whenever we were seeing the "error" in logs we manually purged the SAM rules.</P> <P>As this didn't pleased us, tedious process, we paused the SmartEvent .</P> <P>&nbsp;</P> <P>Still we want to take this back, as it's adding some extra protection in some cases, nowadays is more like a-must-have&nbsp;<span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">😊</span> .</P> <P>&nbsp;</P> <P>So we looked into a way to get that activated again, and we sketched a process, to get the SmartEvent event-data being sent via a script to a server, where we extract the fault IP's and feed them into an Generic DataCenter Object (this was funny to implement - I'll have another topic on it) and use the content into a FWL rule that blocks those IP's . We did this in order to have same "automation" like with SAM rules, and not needing to intervene too much on the policies/rules .</P> <P>Is this a correct approach ?&nbsp;</P> <P>&nbsp;</P> <P>If anyone can enlighten us on the SAM rules limitation, and if there is another way we can address SmartEvents actions, would appreciate.</P> <P>&nbsp;</P> <P>Thank you,</P> Wed, 22 Jun 2022 09:14:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SmartEvent-block-action-hit-SAM-limitation/m-p/151435#M24728 Sorin_Gogean 2022-06-22T09:14:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SmartEvent-block-action-hit-SAM-limitation/m-p/152057#M25140 <P>SAM rules are a legacy mechanism that I'm sure has some lower limits to it than some of the newer mechanisms (fw samp) that perform a similar task.<BR />What you're doing (piping into a Generic Datacenter object) is a clever way to solve the problem.</P> Wed, 29 Jun 2022 20:08:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SmartEvent-block-action-hit-SAM-limitation/m-p/152057#M25140 PhoneBoy 2022-06-29T20:08:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SmartEvent-block-action-hit-SAM-limitation/m-p/152109#M25186 <P>Thank you&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;for confirming this.</P> <P>Is there any plan to change SmartEvents and make is use "<SPAN>fw samp</SPAN>" for autoblocking ?</P> <P>&nbsp;</P> <P>Ty,</P> Thu, 30 Jun 2022 10:26:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SmartEvent-block-action-hit-SAM-limitation/m-p/152109#M25186 Sorin_Gogean 2022-06-30T10:26:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SmartEvent-block-action-hit-SAM-limitation/m-p/152195#M25339 <P>Pretty sure fw samp also has a (likely higher) limit, so not sure moving it to that mechanism is the right answer.<BR />In any case, this probably requires an RFE to come up with the best approach.</P> Fri, 01 Jul 2022 15:17:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SmartEvent-block-action-hit-SAM-limitation/m-p/152195#M25339 PhoneBoy 2022-07-01T15:17:31Z