- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
We are currently planning to deploy DDOS Mitigation on our Checkpoint firewall using the below commands as per the SK: "fw samp" and "fwaccel dos" We are planning to apply it on our external interface for all the traffic coming from the internet. Currently the gateway is running R80.30 take 196
We need to know what are the parameters we need to make sure before deploying this in our production environment, as this should not impact our production traffic.
So First we will be deploying the Monitor-Only mode to understand the traffic patterns and make sure we are not blocking Genuine traffic, using the below command:
# Enable monitor-only mode
[Expert@HostName:0]# fwaccel dos config set --enable-monitor
Could you anyone provide the parameters Checkpoint would be using in Monitor Mode to detect if the traffic is a DOS traffic or not.
Because while creating the fw samp rule we are setting the parameters manually but in monitor mode there is no option to set the parameters, like below:
[Expert@HostName:0]# fw samp add -a d -l r quota service any source cidr:192.168.2.0/24 pkt-rate 1000 flush true
PhoneBoy
My understanding is that monitor mode uses the rules you define but instead of dropping when they trigger, they are allowed but logged.
What precisely happens when you try to define rules like you describe in monitor mode?
Hi @PhoneBoy ,
I have not yet tested this in my environment, because I am not sure about the impact it would have on the production traffic.
I was under the impression that if I create a Rate limiting policy with the "fw samp" command like below, Rate limiting would be activated on the checkpoint and it would drop all the traffic that matched the below criteria, correct me if I am wrong.
[Expert@HostName:0]# fw samp add -a d -l r quota service any source cidr:192.168.2.0/24 pkt-rate 1000 flush true
[Expert@HostName:0]# fw samp add quota flush true
Or should I run the below command to prevent the Rate limiting from taking effect:
# Disable rate limiting policy rules
[Expert@HostName:0]# fwaccel dos config set --disable-rate-limit
PhoneBoy
Assuming you enable monitor mode first, rate limiting will be "activated" but won't actually impact traffic.
You’ll just see logs of what would happen.
Got it @PhoneBoy , so I hope below are required steps I need to follow:
# Enable monitor-only mode
[Expert@HostName:0]# fwaccel dos config set --enable-monitor
# Enable logging
[Expert@HostName:0]# fwaccel dos config set --enable-log-drops
#Add a rule with action=drop, log=record, service/protocol=any source IP=192.168.2.101, maximum packets-per-second=1000
[Expert@HostName:0]# fw samp add -a d -l r quota service any source cidr:192.168.2.0/24 pkt-rate 1000 flush true
#Confirm the rule is in place
[Expert@HostName:0]# fw samp get
#Saving and Applying Changes to Policy Rules
[Expert@HostName:0]# fw samp add quota flush true
#Statistics and Monitoring
[Expert@HostName:0]# fwaccel dos stats get
After verifying the logs, when the DOS policy needs to be implemented :
# Disable monitor-only mode (this is the default)
[Expert@HostName:0]# fwaccel dos config set --disable-monitor
# Enable rate limiting policy rules (this is the default)
[Expert@HostName:0]# fwaccel dos config set --enable-rate-limit
Kindly confirm if the above steps are correct or is there anything I missed.
Also as per the SK in Applying changes section there is a point, "So, at reboot, either all the rules are installed, or no rules are installed (if no flush command was found)", what is a "no flush command" and where would it be used.
Hi @PhoneBoy,
Could you confirm if the above mentioned steps are right, it would be greatly helpful.
Thanks in advance.
PhoneBoy
Steps look correct to me.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY