https://community.checkpoint.com/t5/Firewall-and-Security-Management/penalty-box-on-internal-interfaces-query/m-p/214980#M41069 <P>Hi</P><P>sk112241 and&nbsp;<SPAN>sk111881 both say;</SPAN></P><P><SPAN>"Rate Limiting rules for DoS Mitigation are defined to prevent External-to-Internal traffic. These rules will not enforce Internal-to-External or Internal-to-Internal connections."</SPAN></P><P><SPAN>and to run;</SPAN></P><P><SPAN><EM>fwaccel dos config set --enable-internal</EM></SPAN></P><P>To change this as defined by topology.</P><P>Can I just confirm does this apply to the pbox feature too?</P><P>Thanks!</P> Wed, 22 May 2024 10:32:53 GMT LazarusG 2024-05-22T10:32:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/penalty-box-on-internal-interfaces-query/m-p/214980#M41069 <P>Hi</P><P>sk112241 and&nbsp;<SPAN>sk111881 both say;</SPAN></P><P><SPAN>"Rate Limiting rules for DoS Mitigation are defined to prevent External-to-Internal traffic. These rules will not enforce Internal-to-External or Internal-to-Internal connections."</SPAN></P><P><SPAN>and to run;</SPAN></P><P><SPAN><EM>fwaccel dos config set --enable-internal</EM></SPAN></P><P>To change this as defined by topology.</P><P>Can I just confirm does this apply to the pbox feature too?</P><P>Thanks!</P> Wed, 22 May 2024 10:32:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/penalty-box-on-internal-interfaces-query/m-p/214980#M41069 LazarusG 2024-05-22T10:32:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/penalty-box-on-internal-interfaces-query/m-p/214989#M41071 <P>Yes the&nbsp;<EM><SPAN>&nbsp;</SPAN>--enable-internal&nbsp;</EM>option applies to all of SecureXL's DoS functions including the Penalty Box.&nbsp; However there are two things to be aware of when setting this option:</P> <P>1) A&nbsp;corner case to be aware of when enabling the SecureXL penalty box involves selective synchronization of services in a ClusterXL cluster. Suppose the penalty box is configured with the default values on all members of the cluster, and TCP port 443 connections are NOT currently being synchronized between the cluster members to reduce sync interface traffic. When a failover occurs, huge amounts of TCP port 443 packets from the existing connections at the time of failover will be dropped as "out of state" by the newly-active gateway. In this case if more than 500 drops occur from a IP address within one second, that system will be penalty-boxed and no longer be able to send or receive traffic through the firewall for 3 minutes by default. This is a particular issue with Content Delivery Networks (CDNs) employed by popular websites on the Internet, and can also impact your critical internal servers with -<EM>-enable-internal&nbsp;</EM>set.</P> <P>2) The Penalty Box does have an allow list (whitelist) option via <EM>fwaccel dos allow</EM>, consider adding your critical internal server subnets proactively to avoid them getting accidentally penalty boxed which will cause major problems.</P> Wed, 22 May 2024 12:34:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/penalty-box-on-internal-interfaces-query/m-p/214989#M41071 Timothy_Hall 2024-05-22T12:34:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/penalty-box-on-internal-interfaces-query/m-p/214996#M41074 <P>Believe so, yes.</P> Wed, 22 May 2024 12:54:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/penalty-box-on-internal-interfaces-query/m-p/214996#M41074 PhoneBoy 2024-05-22T12:54:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/penalty-box-on-internal-interfaces-query/m-p/215380#M41136 <P>Thank you.</P> Tue, 28 May 2024 13:24:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/penalty-box-on-internal-interfaces-query/m-p/215380#M41136 LazarusG 2024-05-28T13:24:10Z