- Local User Groups
Welcome to CheckMates
Journey to the Cloud with Confidence!
Webinar: Wed 10 June @ 8am PT | 11am ET
I am Gil Shwed
Ask Me Anything!
for working from home
APT41 and Living Off The Land
I am working to enable Penalty Box on my perimeter gateways, and I'm having trouble finding information on how to make the fwaccel dos config commands persist through a reboot. I have followed sk112454 to modify $FWDIR/bin/fwaccel_dos_rate_install with the commands listed below, rebooted the gateway, and if I run a 'fwaccel dos config get', it still shows everything as disabled.
$FWDIR/bin/fwaccel dos config set --enable-pbox
$FWDIR/bin/fwaccel dos whitelist -B
$FWDIR/bin/fwaccel dos pbox whitelist -B
$FWDIR/bin/fwaccel dos config set --disable-internal
$FWDIR/bin/fwaccel dos config set --enable-log-pbox
$FWDIR/bin/fw samp get -l -k req_type -t in -v quota | $FWDIR/bin/fwaccel dos rate install
if [[ -e $FWDIR/bin/fwaccel6 ]]; then
$FWDIR/bin/fwaccel6 dos whitelist -B
$FWDIR/bin/fwaccel6 dos pbox whitelist -B
$FWDIR/bin/fw samp get -l -k req_type -t in -v quota | $FWDIR/bin/fwaccel6 dos rate install
Except for rate limiting policy rules, configuration changes made using the "fwaccel dos" command are *not* automatically saved. To make the changes permanent, IPv4 commands can be added to the following shell script on the security gateway:
Likewise, IPv6 commands can be added to the following script:
This shell script is executed whenever IPv6 rate limiting policy is installed, including system startup.
I tried what is mentioned in that SK and ran into the same issue where the settings didn't persist through a reboot. One thing I also noticed is that the SK mentioned has the file named as fwaccel_dos_rate_on_install, whereas the file on my gateway is named fwaccel_dos_rate_install. Not sure if that has anything to do with my settings reverting upon reboot.
There is a typo in the SK:
It should be $FWDIR/conf/fwaccel_dos_rate_on_install.
We are working to fix the SK.
Thanks for the feedback.