cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Suspicious Activity Monitoring (SAM) Rules

Jump to solution

The challenge was to block a lot of pub IPs. Allocated via Mgmt-Server.

Example to allocate on all SGW's I do following on Mgmt Server (CP R80.30)

fw sam -I subdst 2.237.76.249 255.255.255.255

Everything is fine and this IP is blocked on all our SGW's R80.10 til R80.30.

Problem is to check which IPs are in kernel table in this "blocking modus".

-----

So I did on the SGW:

----

[Expert@SGW:0]# fw tab -t sam_blocked_ips

localhost:

-------- sam_blocked_ips --------

dynamic, id 8141, num ents 1175, load factor 2.29, attributes: keep, , hashsize 512, limit 50000

<a7567bb0; 00000000, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>   

->Example: a7=167  .56=186  .7b= 123 .b0=176 von HeX nach dEz !!!

  IPv4=  167.186.123.176   !!!!

Actually 1175 entries are on this SGW active.

  • How can I see all this entries ? ? 
  • Is there a table to copy and to relocate to IPv4 (all this 1175 IPs ) ??

---

My output is following:

[Expert@SGW:0]# fw tab -t sam_blocked_ips

localhost:

-------- sam_blocked_ips --------

dynamic, id 8141, num ents 1175, load factor 2.29, attributes: keep, , hashsize 512, limit 50000

<a7567bb0; 00000000, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>  

<46a935ea; 00000000, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>      

<9a78e3ce; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<68efafd3; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<2d5094a8; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<830067c8; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<ba926e6c; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<be8ec86c; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<18b57d3e; 00000000, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<d44996e9; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<02ed4cf9; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<ba54ad99; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<92b9fdaf; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<59bc7c91; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<566240bd; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<4845632f; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

...(16434 More)

2 Solutions

Accepted Solutions
Highlighted

Re: Suspicious Activity Monitoring (SAM) Rules

Jump to solution

Hi @Thomas_Bauer 

It is better - for performance reasons - to block this on SecureXL level.

The SecureXL penalty box is a mechanism that performs an early drop of packets arriving from suspected sources. 

Why not sam policy rules?

The SAM policy rules consume some CPU resources on Security Gateway. We recommend to set an expiration that gives you time to investigate, but does not affect performance. The best practice is to keep only the SAM policy rules that you need. If you confirm that an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk. Or better use SecureXL penalty box from a performance point of view.

The purpose of this feature is to allow the Security Gateway to cope better under high load, possibly caused by a DoS/DDoS attack. These commands „fwaccel dos“ and „fwaccel6 dos“  control the Rate Limiting for DoS mitigation techniques in SecureXL on the local security gateway or cluster member.

In version R80.20, the penalty box feature is now supported in VSX mode and each virtual system can be independently configured for penalty box operation.

Attention!

In R80.20, all "sim erdos" commands are no longer supported. They have been replaced with equivalent commands which can be found under "fwaccel dos". Penalty box is configured separately for IPv4 and IPv6. IPv4 configuration is performed using the "fwaccel dos" command. IPv6 configuration is performed using the "fwaccel6 dos" command.

More read here: R80.x - Performance Tuning Tip - DDoS „fw sam“ vs. „fwaccel dos“ 

 

View solution in original post

Admin
Admin

Re: Suspicious Activity Monitoring (SAM) Rules

Jump to solution
fw tab -t sam_blocked_ips -u will dump all the table entries.

View solution in original post

9 Replies
Highlighted
Silver

Re: Suspicious Activity Monitoring (SAM) Rules

Jump to solution

You may try with "-f" prameter.

Highlighted

Re: Suspicious Activity Monitoring (SAM) Rules

Jump to solution

Hi,  the -f parameter don't show me all 1125 entries ! Only a lot of actually session.

I did SAM rules via CLI !!!! That's important !!

 

Highlighted

Re: Suspicious Activity Monitoring (SAM) Rules

Jump to solution

Hi,

One below command is there to see the IP address other than you mentioned. 

fw sam_policy get

But, you can check all the IP addresses in SmartView Monitor -->Suspicious Activity Rules. 

Highlighted

Re: Suspicious Activity Monitoring (SAM) Rules

Jump to solution

Hi , sorry but fw sam_policy get  output is:

Get operation succeeded
no corresponding SAM policy requests

Highlighted

Re: Suspicious Activity Monitoring (SAM) Rules

Jump to solution

On SmartViewTracker I can see in a table following

 
 

Unbenannt.JPG

..but how can I export or edit it for "CLI" Administration ? I have more than 1000 entries to check .

0 Kudos
Highlighted

Re: Suspicious Activity Monitoring (SAM) Rules

Jump to solution

Hi @Thomas_Bauer 

It is better - for performance reasons - to block this on SecureXL level.

The SecureXL penalty box is a mechanism that performs an early drop of packets arriving from suspected sources. 

Why not sam policy rules?

The SAM policy rules consume some CPU resources on Security Gateway. We recommend to set an expiration that gives you time to investigate, but does not affect performance. The best practice is to keep only the SAM policy rules that you need. If you confirm that an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk. Or better use SecureXL penalty box from a performance point of view.

The purpose of this feature is to allow the Security Gateway to cope better under high load, possibly caused by a DoS/DDoS attack. These commands „fwaccel dos“ and „fwaccel6 dos“  control the Rate Limiting for DoS mitigation techniques in SecureXL on the local security gateway or cluster member.

In version R80.20, the penalty box feature is now supported in VSX mode and each virtual system can be independently configured for penalty box operation.

Attention!

In R80.20, all "sim erdos" commands are no longer supported. They have been replaced with equivalent commands which can be found under "fwaccel dos". Penalty box is configured separately for IPv4 and IPv6. IPv4 configuration is performed using the "fwaccel dos" command. IPv6 configuration is performed using the "fwaccel6 dos" command.

More read here: R80.x - Performance Tuning Tip - DDoS „fw sam“ vs. „fwaccel dos“ 

 

View solution in original post

Admin
Admin

Re: Suspicious Activity Monitoring (SAM) Rules

Jump to solution
fw tab -t sam_blocked_ips -u will dump all the table entries.

View solution in original post

Highlighted

Re: Suspicious Activity Monitoring (SAM) Rules

Jump to solution

Hello PhoneBoy,

many thanks.

fw tab -t sam_blocked_ips -u   works and show all entries.

AddOn: Please add this cli command to a SK Articel - because I can't found it on any manuel /description.

Danke👏

0 Kudos
Highlighted
Admin
Admin

Re: Suspicious Activity Monitoring (SAM) Rules

Jump to solution
Pretty sure the "fw tab" command is documented in SK and in regular documentation as it's been around since the beginning of Check Point time. 😁
0 Kudos