This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
MVP Gold
MVP Gold
‎2020-12-31 08:48 PM

fwaccel does not seems to be running on R81

Hi Team,

 

It looks like fwaccel dos rate cidr rules does not seems to be running on firewall. I guess I configured those correctly but I see still traffic is being passed. Am I missing anything here?

Here is the rule

operation=add uid=<5feea76f,00000000,8805a8c0,000036f4> target=all timeout=1309 action=drop log=regular comment=isnti-threat-intel-block service=any source=cidr:30.40.50.0/24 pkt-rate=0

# fwaccel dos config get
rate limit: enabled (with policy)
rule cache: enabled
pbox: enabled
deny list: enabled (with policy)
drop frags: disabled
drop opts: disabled
internal: disabled
monitor: disabled
log drops: enabled
log pbox: enabled
notif rate: 100 notifications/second
pbox rate: 500 packets/second
pbox tmo: 180 seconds

So my source here is 30.40.50.104 and trying to reach to 192.168.5.129 which is behind 100.101.102.136 FW R81

 

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
Preview file
63 KB
Preview file
97 KB
0 Kudos
9 Replies
HristoGrigorov
MVP Gold
MVP Gold
‎2020-12-31 10:45 PM

Is it working if you add rule explicitly for 30.40.50.104 ?

0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2020-12-31 11:41 PM

Yes it does with deny rule but not with dos rate rule

operation=add uid=<5feed217,00000000,8805a8c0,00007b70> target=all timeout=469 action=drop log=regular comment=Test service=any source=range:30.40.50.104 pkt-rate=0

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Eric_Dale
Employee
Employee
‎2021-01-04 04:40 AM

Looking at the output of "fwaccel dos config get" I see that enforcement for internal interfaces is disabled (which is the default behavior).

Is it possible that the traffic from 30.40.50.0/24 is arriving at an internal interface?  sk112454 has details on this:  look for the paragraph titled "Enable Enforcement for Internal Interfaces"

Also, I see you rule is configured to have a timeout.  Note that the timeout is in seconds.

0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2021-01-04 06:53 AM

This is not the case for sure. I confirmed that traffic is coming through external network. And yes even tried enabling the flag --enable-internal-network however even after that traffic was not getting blocked.

Is this a bug?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
_Val_
Admin
Admin
‎2021-01-04 07:17 AM

Did you look into here? https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Eric_Dale
Employee
Employee
‎2021-01-04 07:20 AM

Assuming your rule UID is "<5feea76f,00000000,8805a8c0,000036f4>", does fwaccel dos rate counters "<5feea76f,00000000,8805a8c0,000036f4>" return any data? 

If not, then what happens if you try to run the command fwaccel_dos_rate_install in expert mode?

 

0 Kudos
Eric_Dale
Employee
Employee
‎2021-01-04 07:44 AM

It seems like you created the rule using "fwaccel dos rate add".   If you used "fw samp" to create the rule, then the problem may be that you need to perform a "flush true".

For reference, here's what I see when I create a similar rule (using fwaccel dos rate add) and then do watch -n .1 'fwaccel dos rate counters "<5ff335d1,00000000,335016ac,0000723b>"':

==================================================

Rule UID: <5ff335d1,00000000,335016ac,0000723b>
Policy: 2
FW Index: -1
SecureXL Index: 1
Timeout: unlimited
Max Concurrent Connections: unlimited
New Connection Rate: unlimited
Packet Rate: 0
Byte Rate: unlimited
Max Concurrent Connections Ratio: unlimited
New Connection Rate Ratio: unlimited
Packet Rate Ratio: unlimited
Byte Rate Ratio: unlimited
Action: drop
Log Type: regular
Concurrent Connections: 0
Connection Rate: 0
Packets: 5
Bytes: 490
Violated Limits: packets-per-second

==================================================

 

The "violated limits" line item should indicate that the rule is being violated, but only while packets are being sent from the blocked host.

 

0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2021-01-04 09:04 AM

well @Eric_Dale this only happens with fwaccel dos and I am trying to achieve for networks since I am already using fwaccel dos deny for hosts.

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2021-01-04 09:05 AM

Let me try with counters and keep you posted.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events