topic Re: fwaccel dos deny logging in Firewall and Security Management

fwaccel dos deny logging

skidsteerpilot — Thu, 08 Sep 2022 20:10:10 GMT

Hello,

R80.40 Take 158

We are beginning to experiment with 'fwaccel dos deny' for blocklists. We can see the dropped logs in the Manage server. They have "Comment: Deny list" and "Feature Name: DOS/Rate Limiting Deny list", but these fields don't seem to be discoverable via the search bar. Is there another way to search for traffic that has been blocked by the deny list?

Re: fwaccel dos deny logging

PhoneBoy — Thu, 08 Sep 2022 20:19:05 GMT

The relevant fields are not indexed, at least in R80.40.
Possible they are in R81.10.

In any case, if you're looking for recent drops, you can do something like the following: fw log -n | grep "Deny List"
This will show entries since Midnight local time (or since the last logswitch occurred, whichever comes first).

Re: fwaccel dos deny logging

Sorin_Gogean — Fri, 09 Sep 2022 10:59:45 GMT

hi,

for fwaccel logs, we're filtering for <*,*,*,*> .

This <*,*,*,*> equivales with the fwaccel rule ID <62c7ec1c,00000000,61fe040a,0000283e> , so you can filter for those specific ID's and find exactly DROPs generated by them.

As example:

the only problem we're facing from logging point of view, is the fact that the rule ID changes with each restart - at/for each fwaccel rule implementation - therefore we have to use <*,*,*,*> .

enjoy,

PS: the <*,*,*,*> was recommended here or in an document, I can't find it right now.

Re: fwaccel dos deny logging

skidsteerpilot — Fri, 09 Sep 2022 13:09:29 GMT

Thank you both for the assist. Unfortunately neither option seemed to provide any resolution. I will check with the support team to see if they have additional suggestions.

Re: fwaccel dos deny logging

Sorin_Gogean — Fri, 09 Sep 2022 16:17:47 GMT

I don't think I follow, @PhoneBoy told you that those fields are not indexed, therefore they are not searchable, and I showed you how you can search specific fwaccel block rules, by searching for either <*,*,*,*> that equivales with the fwaccel rule ID <62c7ec1c,00000000,61fe040a,0000283e> so you can search for that rule ID too.
searching by fwaccel rule ID will provide logs for that rule only - as you asked "Is there another way to search for traffic that has been blocked by the deny list?"

ty,

Re: fwaccel dos deny logging

skidsteerpilot — Fri, 09 Sep 2022 17:19:40 GMT

Hello,

I tried the wildcard search you provided and the log search @PhoneBoy suggested and neither returned results, hence my move to tac. Our logs do not show a rule id in the comment or any other field so possibly our setup is unique. Thank you for the suggestions though.

Re: fwaccel dos deny logging

Sorin_Gogean — Sun, 11 Sep 2022 15:17:23 GMT

Understood,

You can get the correct ID's with "fwaccel dos rate get" from the GW SSH console .

also I would make sure you have your fwaccel deny rules implemented and the log-in enabled for them (red lines).

just go over sk112454...

[Expert@Axxx-FW01:0]# fwaccel dos pbox -m

Penalty box monitor_only: "on"

[Expert@Axxx-FW01:0]# fwaccel dos config get

rate limit: enabled (with policy)

rule cache: enabled

pbox: enabled

deny list: enabled (with policy)

drop frags: disabled

drop opts: disabled

internal: enabled

monitor: disabled

log drops: enabled

log pbox: enabled

notif rate: 100 notifications/second

pbox rate: 500 packets/second

pbox tmo: 180 seconds

[Expert@Axxx-FW01:0]#

enjoy,