topic Re: Suspicious Activity Monitoring (SAM) Rules in Firewall and Security Management

Suspicious Activity Monitoring (SAM) Rules

Thomas_Bauer — Mon, 13 Jan 2020 13:10:27 GMT

The challenge was to block a lot of pub IPs. Allocated via Mgmt-Server.

Example to allocate on all SGW's I do following on Mgmt Server (CP R80.30)

fw sam -I subdst 2.237.76.249 255.255.255.255

Everything is fine and this IP is blocked on all our SGW's R80.10 til R80.30.

Problem is to check which IPs are in kernel table in this "blocking modus".

-----

So I did on the SGW:

----

[Expert@SGW:0]# fw tab -t sam_blocked_ips

localhost:

-------- sam_blocked_ips --------

dynamic, id 8141, num ents 1175, load factor 2.29, attributes: keep, , hashsize 512, limit 50000

<a7567bb0; 00000000, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

->Example: a7=167 .56=186 .7b= 123 .b0=176 von HeX nach dEz !!!

IPv4= 167.186.123.176 !!!!

Actually 1175 entries are on this SGW active.

How can I see all this entries ? ?
Is there a table to copy and to relocate to IPv4 (all this 1175 IPs ) ??

---

My output is following:

[Expert@SGW:0]# fw tab -t sam_blocked_ips

localhost:

-------- sam_blocked_ips --------

dynamic, id 8141, num ents 1175, load factor 2.29, attributes: keep, , hashsize 512, limit 50000

<a7567bb0; 00000000, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<46a935ea; 00000000, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<9a78e3ce; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<68efafd3; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<2d5094a8; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<830067c8; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<ba926e6c; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<be8ec86c; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<18b57d3e; 00000000, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<d44996e9; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<02ed4cf9; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<ba54ad99; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<92b9fdaf; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<59bc7c91; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<566240bd; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<4845632f; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

...(16434 More)

Re: Suspicious Activity Monitoring (SAM) Rules

Neville_Kuo — Mon, 13 Jan 2020 14:39:14 GMT

You may try with "-f" prameter.

Re: Suspicious Activity Monitoring (SAM) Rules

Yatiraj_Panchal — Mon, 13 Jan 2020 14:43:19 GMT

Hi,

One below command is there to see the IP address other than you mentioned.

fw sam_policy get

But, you can check all the IP addresses in SmartView Monitor -->Suspicious Activity Rules.

Re: Suspicious Activity Monitoring (SAM) Rules

Thomas_Bauer — Mon, 13 Jan 2020 15:05:26 GMT

Hi , sorry but fw sam_policy get output is:

Get operation succeeded
no corresponding SAM policy requests

Re: Suspicious Activity Monitoring (SAM) Rules

Thomas_Bauer — Mon, 13 Jan 2020 15:11:25 GMT

Hi, the -f parameter don't show me all 1125 entries ! Only a lot of actually session.

I did SAM rules via CLI !!!! That's important !!

Re: Suspicious Activity Monitoring (SAM) Rules

Thomas_Bauer — Mon, 13 Jan 2020 15:25:06 GMT

On SmartViewTracker I can see in a table following

..but how can I export or edit it for "CLI" Administration ? I have more than 1000 entries to check .

Re: Suspicious Activity Monitoring (SAM) Rules

HeikoAnkenbrand — Mon, 13 Jan 2020 21:33:04 GMT

Hi @Thomas_Bauer

It is better - for performance reasons - to block this on SecureXL level.

The SecureXL penalty box is a mechanism that performs an early drop of packets arriving from suspected sources.

Why not sam policy rules?

The SAM policy rules consume some CPU resources on Security Gateway. We recommend to set an expiration that gives you time to investigate, but does not affect performance. The best practice is to keep only the SAM policy rules that you need. If you confirm that an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk. Or better use SecureXL penalty box from a performance point of view.

The purpose of this feature is to allow the Security Gateway to cope better under high load, possibly caused by a DoS/DDoS attack. These commands „fwaccel dos“ and „fwaccel6 dos“ control the Rate Limiting for DoS mitigation techniques in SecureXL on the local security gateway or cluster member.

In version R80.20, the penalty box feature is now supported in VSX mode and each virtual system can be independently configured for penalty box operation.

Attention!

In R80.20, all "sim erdos" commands are no longer supported. They have been replaced with equivalent commands which can be found under "fwaccel dos". Penalty box is configured separately for IPv4 and IPv6. IPv4 configuration is performed using the "fwaccel dos" command. IPv6 configuration is performed using the "fwaccel6 dos" command.

More read here: R80.x - Performance Tuning Tip - DDoS „fw sam“ vs. „fwaccel dos“

Re: Suspicious Activity Monitoring (SAM) Rules

PhoneBoy — Mon, 13 Jan 2020 23:55:17 GMT

fw tab -t sam_blocked_ips -u will dump all the table entries.

Re: Suspicious Activity Monitoring (SAM) Rules

Thomas_Bauer — Tue, 14 Jan 2020 06:53:20 GMT

Hello PhoneBoy,

many thanks.

fw tab -t sam_blocked_ips -u works and show all entries.

AddOn: Please add this cli command to a SK Articel - because I can't found it on any manuel /description.

Danke👏

Re: Suspicious Activity Monitoring (SAM) Rules

PhoneBoy — Mon, 20 Jan 2020 21:50:27 GMT

Pretty sure the "fw tab" command is documented in SK and in regular documentation as it's been around since the beginning of Check Point time. 😁