topic R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“ in General Topics

R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“

HeikoAnkenbrand — Mon, 14 Sep 2020 13:41:45 GMT

What is SecureXL penalty box?

The SecureXL penalty box is a mechanism that performs an early drop of packets arriving from suspected sources. This mechanism is supported starting in R75.40VS.

Why not sam policy rules?

The SAM policy rules consume some CPU resources on Security Gateway. We recommend to set an expiration that gives you time to investigate, but does not affect performance. The best practice is to keep only the SAM policy rules that you need. If you confirm that an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk. Or better use SecureXL penalty box from a performance point of view.

The purpose of this feature is to allow the Security Gateway to cope better under high load, possibly caused by a DoS/DDoS attack. These commands „fwaccel dos“ and „fwaccel6 dos“ control the Rate Limiting for DoS mitigation techniques in SecureXL on the local security gateway or cluster member.

In version R80.20, the penalty box feature is now supported in VSX mode and each virtual system can be independently configured for penalty box operation.

Attention!

In R80.20, all "sim erdos" commands are no longer supported. They have been replaced with equivalent commands which can be found under "fwaccel dos". Penalty box is configured separately for IPv4 and IPv6. IPv4 configuration is performed using the "fwaccel dos" command. IPv6 configuration is performed using the "fwaccel6 dos" command.

Chapter

More interesting articles:

- R80.x Architecture and Performance Tuning - Link Collection
- Article list (Heiko Ankenbrand)

Old known SAM rule

This would be a classic SAM rule which already existed in all versions R77.30, R80.10 and R80.20. In this example the source IP 1.2.3.4 is blocked.

I don't want to go into the SAM rules further here. You can read it here: How to create and view Suspicious Activity Monitoring (SAM) Rules.

IP blacklist

Tip 1

Controls the IP blacklist in SecureXL. The blacklist blocks all traffic to and from the specified IP addresses. It is an easy way to block certain IP addresses quickly and eficiently on SecureXL level.

The blacklist drops occur in SecureXL, which is more efficient than an Access Control Policy or SAM rule to drop the packets. This can be very helpful e.g. with DoS attacks to block an IP on SecureXL level.

For example, the traffic from and to IP 1.2.3.4 should be blocked at SecureXL level.

On gateway set the IP 1.2.3.4 to Secure XL blacklist:

# fwaccel dos blacklist -a 1.2.3.4

On gateway displays all IP's on the SecureXL blacklist:

# fwaccel dos blacklist -s

On gateway delete the IP 1.2.3.4 from Secure XL blacklist:

# fwaccel dos blacklist -d 1.2.3.4

Penalty Box

Tip 2

Controls the Penalty Box whitelist in SecureXL.

The SecureXL Penalty Box is a mechanism that performs an early drop of packets that arrive from suspected sources. The purpose of this feature is to allow the Security Gateway to cope better under high traffic load, possibly caused by a DoS/DDoS attack. The SecureXL Penalty Box detects clients that sends packets, which the Access Control Policy drops, and clients that violate the IPS protections. If the SecureXL Penalty Box detect a specific client frequently, it puts that client in a penalty box. From that point, SecureXL drops all packets that arrive from the blocked source IP address.

The Penalty Box whitelist in SecureXL lets you configure the source IP addresses, which the SecureXL Penalty Box never blocks. What is the SecureXL penalty box mechanism for offending IP addresses?

How to configure Rate Limiting rules for DoS Mitigation (R80.20 and higher): sk112454

Penalty Box whitelist

Tip 3

Furthermore there are also the Penalty Box whitelist in SecureXL.

References

What is the SecureXL penalty box mechanism for offending IP addresses?
Command Line Interface R80.20 Reference Guide
Performance Tuning R80.20 Administration Guide
How to create and view Suspicious Activity Monitoring (SAM) Rules

Re: R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“

_Jelle — Mon, 03 Dec 2018 20:11:02 GMT

Hi Heiko,

Since i am not running R80.20 yet, i use "sim dropcfg" to achieve the same functions as "fwaccel dos blacklist". I discovered that there is a limitation on the maximum number of blacklisted IP's in "sim dropcfg" when you load a blacklist file into SecureXL.Do you know if there are any limitations around the maximum number of entry's in the "fwaccel dos blacklist" feature?

And off course nice article, with some great tips!

Kind regards,

Jelle

Re: R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“

HeikoAnkenbrand — Mon, 03 Dec 2018 20:52:39 GMT

Hi Jelle,

Unfortunately I have no information about the maximum number.
But I can test it in the LAB under R80.20. I build a script to enter 256 IP addresses automatically and then the next block. Then we will see how many IP addresses can be added.

I'll check it out in the next few days.

Regards

Heiko

Re: R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“

Umit_Guler — Mon, 01 Apr 2019 22:26:44 GMT

Hi Heiko,

Thank you for this great article. Is there any way to add bulk list without script?

If it is right, "fwaccel dos stats get" outputs shows that the maximum number is 975274

Regards,

Umit

Re: R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“

Alex_Lewis — Wed, 12 Jun 2019 11:45:04 GMT

I have enable-log-drops set but it appears that penalty box is not logging to the log server. Where can I find these logs?

Re: R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“

Paul_Gademsky — Mon, 04 May 2020 17:49:37 GMT

Reviving this old thread to answer your question. the options are -l filename, -L load all files under $FWDIR/conf/blaclists into blacklists.

Hope that helps

Re: R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“

cezar_varlan1 — Wed, 13 May 2020 14:50:17 GMT

+1 on this one.

Plus it looks like it is allowing inbound connections

Re: R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“

CP-NDA — Wed, 23 Sep 2020 18:28:04 GMT

By any chance does someone already implemented this solution in Automatic Reaction in SmartEvent ?

Do we need to implement an external script to do that?

Thank you

Re: R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“

CP-NDA — Wed, 17 Nov 2021 08:46:04 GMT

Hi All,

Any feedback on this. I often get the same question but in all honesty I don't have the answer

Is there a way to make the "ip blacklist" working with Automatic Reaction in SmartEvent ?

For example, if we have hits on a honeypot, blacklist the IP

Thank you

Re: R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“

cezar_varlan1 — Wed, 08 Dec 2021 13:16:39 GMT

What I did is populate a simple html page with IPs to be blocked every 20 minutes. This is taken out of Splunk in my case.

If you have hits on a honeypot then you would have to script a way to obtain the "srcip" from the honeypot and populate the URL. Then it will be blocked as soon as the blacklist reads the html page.

https://community.checkpoint.com/t5/Scripts/Dyn-IP-Block-Dynamic-Blocking-of-IP-Addresses-from-URL/m-p/104653#M728

Re: R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“

cezar_varlan1 — Wed, 08 Dec 2021 13:17:59 GMT

The other way would be to script it from SmartEvent. There is a way to inject any matching rules to /var/log/messages and have this monitored and run an on demand script to inject the block via fw samp or fw accel dos

Re: R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“

Don_Paterson — Fri, 02 Dec 2022 10:10:56 GMT

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_CLI_ReferenceGuide/Topics-CLIG/PTG/SecureXL/fwaccel-dos-deny.htm?Highlight=fwaccel%20dos%20deny

You can update this great article with fwaccel dos deny 😉

Regards,

Don

Great article (as always). Thank you.

Re: R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“

fabianm — Wed, 27 Sep 2023 20:53:20 GMT

Note: The commands 'fwaccel dos blacklist' and 'fwaccel dos whitelist' are deprecated and were replaced by 'fwaccel dos deny' and 'fwaccel dos allow'.

https://support.checkpoint.com/results/sk/sk112454