https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-exclude-IP-from-SAM-rules/m-p/236461#M45852 <P>Hello everybody,</P><P>Following a big outage we noticed that our main gateways had put their own public IP subnet in the SAM ruleset. How can I prevent this from happening? Is there any way to exclude a subnet from being monitored for suspicious activity?</P> Fri, 20 Dec 2024 08:54:50 GMT demirdag 2024-12-20T08:54:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-exclude-IP-from-SAM-rules/m-p/236461#M45852 <P>Hello everybody,</P><P>Following a big outage we noticed that our main gateways had put their own public IP subnet in the SAM ruleset. How can I prevent this from happening? Is there any way to exclude a subnet from being monitored for suspicious activity?</P> Fri, 20 Dec 2024 08:54:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-exclude-IP-from-SAM-rules/m-p/236461#M45852 demirdag 2024-12-20T08:54:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-exclude-IP-from-SAM-rules/m-p/236473#M45856 <P>I would look at&nbsp;<A href="https://support.checkpoint.com/results/sk/sk112061" target="_blank">https://support.checkpoint.com/results/sk/sk112061</A>&nbsp;</P> <P>How to create and view Suspicious Activity Monitoring (SAM) Rules</P> <P>&nbsp;</P> <P>Try to see if -b flag with IP of Security Gateway works.</P> Fri, 20 Dec 2024 12:27:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-exclude-IP-from-SAM-rules/m-p/236473#M45856 Tal_Paz-Fridman 2024-12-20T12:27:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-exclude-IP-from-SAM-rules/m-p/236490#M45860 <P>I agree with&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/585">@Tal_Paz-Fridman</a>&nbsp;. I would double check what you have as per short video I uploaded.</P> <P>Andy</P> <P><div class="lia-vid-container video-embed-center"><div id="lia-vid-6366278238112w960h540r412" class="lia-video-brightcove-player-container"><video-js data-video-id="6366278238112" data-account="6058022097001" data-player="default" data-embed="default" class="vjs-fluid" controls="" data-application-id="" style="width: 100%; height: 100%;"></video-js></div><script src="https://players.brightcove.net/6058022097001/default_default/index.min.js"></script><script>(function() { var wrapper = document.getElementById('lia-vid-6366278238112w960h540r412'); var videoEl = wrapper ? wrapper.querySelector('video-js') : null; if (videoEl) { if (window.videojs) { window.videojs(videoEl).ready(function() { this.on('loadedmetadata', function() { this.el().querySelectorAll('.vjs-load-progress div[data-start]').forEach(function(bar) { bar.setAttribute('role', 'presentation'); bar.setAttribute('aria-hidden', 'true'); }); }); }); } }})();</script><a class="video-embed-link" href="https://community.checkpoint.com/t5/video/gallerypage/video-id/6366278238112">(view in My Videos)</a></div></P> Fri, 20 Dec 2024 14:07:36 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-exclude-IP-from-SAM-rules/m-p/236490#M45860 the_rock 2024-12-20T14:07:36Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-exclude-IP-from-SAM-rules/m-p/236516#M45870 <P>As far as I know, there shouldn’t be anything automatically creating SAM rules against your gateway IP.<BR />There is nothing preventing you from doing so via the fw sam command, however.</P> Fri, 20 Dec 2024 16:55:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-exclude-IP-from-SAM-rules/m-p/236516#M45870 PhoneBoy 2024-12-20T16:55:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-exclude-IP-from-SAM-rules/m-p/236536#M45874 <P>To prevent your main gateways from including their own public IP subnet in the SAM ruleset, you can exclude specific subnets from being monitored for suspicious activity by configuring exceptions in the SAM rules. Here's how you can do it:</P> <OL> <LI> <P><STRONG>Access the Security Management Server</STRONG>:</P> <UL> <LI>Open SmartConsole and connect to your Security Management Server.</LI> </UL> </LI> <LI> <P><STRONG>Navigate to SAM Settings</STRONG>:</P> <UL> <LI>Go to "Logs &amp; Monitor" and open the SmartView Monitor.</LI> </UL> </LI> <LI> <P><STRONG>Open Suspicious Activity Rules</STRONG>:</P> <UL> <LI>Click on the "Suspicious Activity Rules" icon in the toolbar to open the Enforced Suspicious Activity Rules window.</LI> </UL> </LI> <LI> <P><STRONG>Add an Exception</STRONG>:</P> <UL> <LI>Click on "Add" to create a new rule.</LI> <LI>In the "Block Suspicious Activity" window, specify the source and destination IP addresses or networks you want to exclude. Use the IP and subnet mask fields to define the subnet you wish to exclude.</LI> </UL> </LI> <LI> <P><STRONG>Configure the Rule</STRONG>:</P> <UL> <LI>Set the action to "Notify" instead of "Block" for the specific subnet you want to exclude.</LI> <LI>Set an expiration time for the rule to ensure it doesn't affect performance unnecessarily.</LI> </UL> </LI> <LI> <P><STRONG>Enforce the Rule</STRONG>:</P> <UL> <LI>Click "Enforce" to apply the rule to the selected Security Gateway(s)</LI> </UL> </LI> </OL> Fri, 20 Dec 2024 19:27:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-exclude-IP-from-SAM-rules/m-p/236536#M45874 HeikoAnkenbrand 2024-12-20T19:27:37Z