Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Lithin_Mathew
Contributor

Monitor-Only Mode in Rate Limiting for DDOS Prevention

We are currently planning to deploy DDOS Mitigation on our Checkpoint firewall using the below commands as per the SK: "fw samp" and "fwaccel dos" We are planning to apply it on our external interface for all the traffic coming from the internet. Currently the gateway is running R80.30 take 196

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

We need to know what are the parameters we need to make sure before deploying this in our production environment, as this should not impact our production traffic.

So First we will be deploying the Monitor-Only mode to understand the traffic patterns and make sure we are not blocking Genuine traffic, using the below command:

# Enable monitor-only mode

[Expert@HostName:0]# fwaccel dos config set --enable-monitor

Could you anyone provide the parameters Checkpoint would be using in Monitor Mode to detect if the traffic is a DOS traffic or not.

Because while creating the fw samp rule we are setting the parameters manually but in monitor mode there is no option to set the parameters, like below:

  • Add a rule with action=drop, log=record, service/protocol=any source IP=192.168.2.101, maximum packets-per-second=1000:

[Expert@HostName:0]# fw samp add -a d -l r quota service any source cidr:192.168.2.0/24 pkt-rate 1000 flush true

 

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

My understanding is that monitor mode uses the rules you define but instead of dropping when they trigger, they are allowed but logged.
What precisely happens when you try to define rules like you describe in monitor mode?

0 Kudos
Lithin_Mathew
Contributor

Hi @PhoneBoy , 

I have not yet tested this in my environment, because I am not sure about the impact it would have on the production traffic.

I was under the impression that if I create a Rate limiting policy with the "fw samp" command like below, Rate limiting would be activated on the checkpoint and it would  drop all the traffic that matched the below criteria, correct me if I am wrong.  

[Expert@HostName:0]# fw samp add -a d -l r quota service any source cidr:192.168.2.0/24 pkt-rate 1000 flush true

[Expert@HostName:0]# fw samp add quota flush true

Or should I run the below command to prevent the Rate limiting from taking effect:

# Disable rate limiting policy rules

[Expert@HostName:0]# fwaccel dos config set --disable-rate-limit

 

 

 

 

 

0 Kudos
PhoneBoy
Admin
Admin

Assuming you enable monitor mode first, rate limiting will be "activated" but won't actually impact traffic.
You’ll just see logs of what would happen.

Lithin_Mathew
Contributor

Got it @PhoneBoy , so I hope below are required steps I need to follow:

# Enable monitor-only mode

[Expert@HostName:0]# fwaccel dos config set --enable-monitor

# Enable logging

[Expert@HostName:0]# fwaccel dos config set --enable-log-drops

#Add a rule with action=drop, log=record, service/protocol=any source IP=192.168.2.101, maximum packets-per-second=1000

[Expert@HostName:0]# fw samp add -a d -l r quota service any source cidr:192.168.2.0/24 pkt-rate 1000 flush true

#Confirm the rule is in place

[Expert@HostName:0]# fw samp get

#Saving and Applying Changes to Policy Rules

[Expert@HostName:0]# fw samp add quota flush true

#Statistics and Monitoring

[Expert@HostName:0]# fwaccel dos stats get

After verifying the logs, when the DOS policy needs to be implemented :

# Disable monitor-only mode (this is the default)

[Expert@HostName:0]# fwaccel dos config set --disable-monitor

# Enable rate limiting policy rules (this is the default)

[Expert@HostName:0]# fwaccel dos config set --enable-rate-limit

 

Kindly confirm if the above steps are correct or is there anything I missed.

Also as per the SK in Applying changes section there is a point, "So, at reboot, either all the rules are installed, or no rules are installed (if no flush command was found)", what is a "no flush command" and where would it be used.

0 Kudos
Lithin_Mathew
Contributor

Hi @PhoneBoy,

Could you confirm if the above mentioned steps are right, it would be greatly helpful.

Thanks in advance.

 

0 Kudos
PhoneBoy
Admin
Admin

Steps look correct to me.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events