Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Blason_R
Advisor

fwaccel does not seems to be running on R81

Hi Team,

 

It looks like fwaccel dos rate cidr rules does not seems to be running on firewall. I guess I configured those correctly but I see still traffic is being passed. Am I missing anything here?

Here is the rule

operation=add uid=<5feea76f,00000000,8805a8c0,000036f4> target=all timeout=1309 action=drop log=regular comment=isnti-threat-intel-block service=any source=cidr:30.40.50.0/24 pkt-rate=0

# fwaccel dos config get
rate limit: enabled (with policy)
rule cache: enabled
pbox: enabled
deny list: enabled (with policy)
drop frags: disabled
drop opts: disabled
internal: disabled
monitor: disabled
log drops: enabled
log pbox: enabled
notif rate: 100 notifications/second
pbox rate: 500 packets/second
pbox tmo: 180 seconds

So my source here is 30.40.50.104 and trying to reach to 192.168.5.129 which is behind 100.101.102.136 FW R81

 

 

0 Kudos
9 Replies

Is it working if you add rule explicitly for 30.40.50.104 ?

0 Kudos
Blason_R
Advisor

Yes it does with deny rule but not with dos rate rule

operation=add uid=<5feed217,00000000,8805a8c0,00007b70> target=all timeout=469 action=drop log=regular comment=Test service=any source=range:30.40.50.104 pkt-rate=0

0 Kudos
Eric_Dale
Employee
Employee

Looking at the output of "fwaccel dos config get" I see that enforcement for internal interfaces is disabled (which is the default behavior).

Is it possible that the traffic from 30.40.50.0/24 is arriving at an internal interface?  sk112454 has details on this:  look for the paragraph titled "Enable Enforcement for Internal Interfaces"

Also, I see you rule is configured to have a timeout.  Note that the timeout is in seconds.

0 Kudos
Blason_R
Advisor

This is not the case for sure. I confirmed that traffic is coming through external network. And yes even tried enabling the flag --enable-internal-network however even after that traffic was not getting blocked.

Is this a bug?

0 Kudos
_Val_
Admin
Admin

0 Kudos
Eric_Dale
Employee
Employee

Assuming your rule UID is "<5feea76f,00000000,8805a8c0,000036f4>", does fwaccel dos rate counters "<5feea76f,00000000,8805a8c0,000036f4>" return any data? 

If not, then what happens if you try to run the command fwaccel_dos_rate_install in expert mode?

 

0 Kudos
Eric_Dale
Employee
Employee

It seems like you created the rule using "fwaccel dos rate add".   If you used "fw samp" to create the rule, then the problem may be that you need to perform a "flush true".

For reference, here's what I see when I create a similar rule (using fwaccel dos rate add) and then do watch -n .1 'fwaccel dos rate counters "<5ff335d1,00000000,335016ac,0000723b>"':

==================================================

Rule UID: <5ff335d1,00000000,335016ac,0000723b>
Policy: 2
FW Index: -1
SecureXL Index: 1
Timeout: unlimited
Max Concurrent Connections: unlimited
New Connection Rate: unlimited
Packet Rate: 0
Byte Rate: unlimited
Max Concurrent Connections Ratio: unlimited
New Connection Rate Ratio: unlimited
Packet Rate Ratio: unlimited
Byte Rate Ratio: unlimited
Action: drop
Log Type: regular
Concurrent Connections: 0
Connection Rate: 0
Packets: 5
Bytes: 490
Violated Limits: packets-per-second

==================================================

 

The "violated limits" line item should indicate that the rule is being violated, but only while packets are being sent from the blocked host.

 

0 Kudos
Blason_R
Advisor

well @Eric_Dale this only happens with fwaccel dos and I am trying to achieve for networks since I am already using fwaccel dos deny for hosts.

 

0 Kudos
Blason_R
Advisor

Let me try with counters and keep you posted.

0 Kudos