https://community.checkpoint.com/t5/General-Topics/fwaccel-does-not-seems-to-be-running-on-R81/m-p/106898#M20468 <P>Did you look into here?&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk112454" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk112454</A></P> Mon, 04 Jan 2021 15:17:08 GMT _Val_ 2021-01-04T15:17:08Z https://community.checkpoint.com/t5/General-Topics/fwaccel-does-not-seems-to-be-running-on-R81/m-p/106774#M20442 <P>Hi Team,</P><P>&nbsp;</P><P>It looks like fwaccel dos rate cidr rules does not seems to be running on firewall. I guess I configured those correctly but I see still traffic is being passed. Am I missing anything here?</P><P>Here is the rule</P><P>operation=add uid=&lt;5feea76f,00000000,8805a8c0,000036f4&gt; target=all timeout=1309 action=drop log=regular comment=isnti-threat-intel-block service=any source=cidr:30.40.50.0/24 pkt-rate=0</P><P># fwaccel dos config get<BR />rate limit: enabled (with policy)<BR />rule cache: enabled<BR />pbox: enabled<BR />deny list: enabled (with policy)<BR />drop frags: disabled<BR />drop opts: disabled<BR />internal: disabled<BR />monitor: disabled<BR />log drops: enabled<BR />log pbox: enabled<BR />notif rate: 100 notifications/second<BR />pbox rate: 500 packets/second<BR />pbox tmo: 180 seconds</P><P>So my source here is 30.40.50.104 and trying to reach to 192.168.5.129 which is behind 100.101.102.136 FW R81</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 01 Jan 2021 04:48:45 GMT https://community.checkpoint.com/t5/General-Topics/fwaccel-does-not-seems-to-be-running-on-R81/m-p/106774#M20442 Blason_R 2021-01-01T04:48:45Z https://community.checkpoint.com/t5/General-Topics/fwaccel-does-not-seems-to-be-running-on-R81/m-p/106775#M20443 <P>Is it working if you add rule explicitly for&nbsp;<SPAN>30.40.50.104 ?</SPAN></P> Fri, 01 Jan 2021 06:45:16 GMT https://community.checkpoint.com/t5/General-Topics/fwaccel-does-not-seems-to-be-running-on-R81/m-p/106775#M20443 HristoGrigorov 2021-01-01T06:45:16Z https://community.checkpoint.com/t5/General-Topics/fwaccel-does-not-seems-to-be-running-on-R81/m-p/106777#M20444 <P>Yes it does with deny rule but not with dos rate rule</P><P>operation=add uid=&lt;5feed217,00000000,8805a8c0,00007b70&gt; target=all timeout=469 action=drop log=regular comment=Test service=any source=range:30.40.50.104 pkt-rate=0</P> Fri, 01 Jan 2021 07:41:24 GMT https://community.checkpoint.com/t5/General-Topics/fwaccel-does-not-seems-to-be-running-on-R81/m-p/106777#M20444 Blason_R 2021-01-01T07:41:24Z https://community.checkpoint.com/t5/General-Topics/fwaccel-does-not-seems-to-be-running-on-R81/m-p/106884#M20464 <P>Looking at the output of "fwaccel dos config get" I see that enforcement for internal interfaces is disabled (which is the default behavior).</P> <P>Is it possible that the traffic from 30.40.50.0/24 is arriving at an internal interface?&nbsp; sk112454 has details on this:&nbsp; look for the paragraph titled "Enable Enforcement for Internal Interfaces"</P> <P>Also, I see you rule is configured to have a timeout.&nbsp; Note that the timeout is in seconds.</P> Mon, 04 Jan 2021 12:40:51 GMT https://community.checkpoint.com/t5/General-Topics/fwaccel-does-not-seems-to-be-running-on-R81/m-p/106884#M20464 Eric_Dale 2021-01-04T12:40:51Z https://community.checkpoint.com/t5/General-Topics/fwaccel-does-not-seems-to-be-running-on-R81/m-p/106894#M20466 <P>This is not the case for sure. I confirmed that traffic is coming through external network. And yes even tried enabling the flag --enable-internal-network however even after that traffic was not getting blocked.</P><P>Is this a bug?</P> Mon, 04 Jan 2021 14:53:10 GMT https://community.checkpoint.com/t5/General-Topics/fwaccel-does-not-seems-to-be-running-on-R81/m-p/106894#M20466 Blason_R 2021-01-04T14:53:10Z https://community.checkpoint.com/t5/General-Topics/fwaccel-does-not-seems-to-be-running-on-R81/m-p/106898#M20468 <P>Did you look into here?&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk112454" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk112454</A></P> Mon, 04 Jan 2021 15:17:08 GMT https://community.checkpoint.com/t5/General-Topics/fwaccel-does-not-seems-to-be-running-on-R81/m-p/106898#M20468 _Val_ 2021-01-04T15:17:08Z https://community.checkpoint.com/t5/General-Topics/fwaccel-does-not-seems-to-be-running-on-R81/m-p/106901#M20469 <P>Assuming your rule UID is "&lt;5feea76f,00000000,8805a8c0,000036f4&gt;", does <STRONG>fwaccel dos rate counters "&lt;5feea76f,00000000,8805a8c0,000036f4&gt;"</STRONG> return any data?&nbsp;</P> <P>If not, then what happens if you try to run the command <STRONG>fwaccel_dos_rate_install</STRONG> in expert mode?</P> <P>&nbsp;</P> Mon, 04 Jan 2021 15:20:05 GMT https://community.checkpoint.com/t5/General-Topics/fwaccel-does-not-seems-to-be-running-on-R81/m-p/106901#M20469 Eric_Dale 2021-01-04T15:20:05Z https://community.checkpoint.com/t5/General-Topics/fwaccel-does-not-seems-to-be-running-on-R81/m-p/106905#M20470 <P>It seems like you created the rule using "fwaccel dos rate add".&nbsp;&nbsp; If you used "fw samp" to create the rule, then the problem may be that you need to perform a "flush true".</P> <P>For reference, here's what I see when I create a similar rule (using fwaccel dos rate add) and then do <STRONG>watch -n .1 'fwaccel dos rate counters "&lt;5ff335d1,00000000,335016ac,0000723b&gt;"':</STRONG></P> <P><STRONG>==================================================</STRONG></P> <P>Rule UID: &lt;5ff335d1,00000000,335016ac,0000723b&gt;<BR />Policy: 2<BR />FW Index: -1<BR />SecureXL Index: 1<BR />Timeout: unlimited<BR />Max Concurrent Connections: unlimited<BR />New Connection Rate: unlimited<BR />Packet Rate: 0<BR />Byte Rate: unlimited<BR />Max Concurrent Connections Ratio: unlimited<BR />New Connection Rate Ratio: unlimited<BR />Packet Rate Ratio: unlimited<BR />Byte Rate Ratio: unlimited<BR />Action: drop<BR />Log Type: regular<BR />Concurrent Connections: 0<BR />Connection Rate: 0<BR />Packets: 5<BR />Bytes: 490<BR />Violated Limits: packets-per-second </P> <P><STRONG>==================================================</STRONG></P> <P>&nbsp;</P> <P>The "violated limits" line item should indicate that the rule is being violated, but only while packets are being sent from the blocked host.</P> <P>&nbsp;</P> Mon, 04 Jan 2021 15:44:09 GMT https://community.checkpoint.com/t5/General-Topics/fwaccel-does-not-seems-to-be-running-on-R81/m-p/106905#M20470 Eric_Dale 2021-01-04T15:44:09Z https://community.checkpoint.com/t5/General-Topics/fwaccel-does-not-seems-to-be-running-on-R81/m-p/106916#M20472 <P>well&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/39958">@Eric_Dale</a>&nbsp;this only happens with fwaccel dos and I am trying to achieve for networks since I am already using fwaccel dos deny for hosts.</P><P>&nbsp;</P> Mon, 04 Jan 2021 17:04:41 GMT https://community.checkpoint.com/t5/General-Topics/fwaccel-does-not-seems-to-be-running-on-R81/m-p/106916#M20472 Blason_R 2021-01-04T17:04:41Z https://community.checkpoint.com/t5/General-Topics/fwaccel-does-not-seems-to-be-running-on-R81/m-p/106917#M20473 <P>Let me try with counters and keep you posted.</P> Mon, 04 Jan 2021 17:05:05 GMT https://community.checkpoint.com/t5/General-Topics/fwaccel-does-not-seems-to-be-running-on-R81/m-p/106917#M20473 Blason_R 2021-01-04T17:05:05Z