Solved: Re: Suspicious Activity Monitoring (SAM) Rules

Thomas_Bauer · ‎2020-01-13

The challenge was to block a lot of pub IPs. Allocated via Mgmt-Server.

Example to allocate on all SGW's I do following on Mgmt Server (CP R80.30)

fw sam -I subdst 2.237.76.249 255.255.255.255

Everything is fine and this IP is blocked on all our SGW's R80.10 til R80.30.

Problem is to check which IPs are in kernel table in this "blocking modus".

-----

So I did on the SGW:

----

[Expert@SGW:0]# fw tab -t sam_blocked_ips

localhost:

-------- sam_blocked_ips --------

dynamic, id 8141, num ents 1175, load factor 2.29, attributes: keep, , hashsize 512, limit 50000

<a7567bb0; 00000000, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

->Example: a7=167 .56=186 .7b= 123 .b0=176 von HeX nach dEz !!!

IPv4= 167.186.123.176 !!!!

Actually 1175 entries are on this SGW active.

How can I see all this entries ? ?
Is there a table to copy and to relocate to IPv4 (all this 1175 IPs ) ??

---

My output is following:

[Expert@SGW:0]# fw tab -t sam_blocked_ips

localhost:

-------- sam_blocked_ips --------

dynamic, id 8141, num ents 1175, load factor 2.29, attributes: keep, , hashsize 512, limit 50000

<a7567bb0; 00000000, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<46a935ea; 00000000, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<9a78e3ce; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<68efafd3; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<2d5094a8; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<830067c8; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<ba926e6c; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<be8ec86c; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<18b57d3e; 00000000, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<d44996e9; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<02ed4cf9; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<ba54ad99; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<92b9fdaf; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<59bc7c91; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<566240bd; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

<4845632f; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>

...(16434 More)

HeikoAnkenbrand · ‎2020-01-13

Hi @Thomas_Bauer

It is better - for performance reasons - to block this on SecureXL level.

The SecureXL penalty box is a mechanism that performs an early drop of packets arriving from suspected sources.

Why not sam policy rules?

The SAM policy rules consume some CPU resources on Security Gateway. We recommend to set an expiration that gives you time to investigate, but does not affect performance. The best practice is to keep only the SAM policy rules that you need. If you confirm that an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk. Or better use SecureXL penalty box from a performance point of view.

The purpose of this feature is to allow the Security Gateway to cope better under high load, possibly caused by a DoS/DDoS attack. These commands „fwaccel dos“ and „fwaccel6 dos“ control the Rate Limiting for DoS mitigation techniques in SecureXL on the local security gateway or cluster member.

In version R80.20, the penalty box feature is now supported in VSX mode and each virtual system can be independently configured for penalty box operation.

Attention!

In R80.20, all "sim erdos" commands are no longer supported. They have been replaced with equivalent commands which can be found under "fwaccel dos". Penalty box is configured separately for IPv4 and IPv6. IPv4 configuration is performed using the "fwaccel dos" command. IPv6 configuration is performed using the "fwaccel6 dos" command.

More read here: R80.x - Performance Tuning Tip - DDoS „fw sam“ vs. „fwaccel dos“

View solution in original post

PhoneBoy · ‎2020-01-13

fw tab -t sam_blocked_ips -u will dump all the table entries.

View solution in original post

PhoneBoy · ‎2020-01-20

Pretty sure the "fw tab" command is documented in SK and in regular documentation as it's been around since the beginning of Check Point time. 😁

View solution in original post

Neville_Kuo · ‎2020-01-13

You may try with "-f" prameter.

Thomas_Bauer · ‎2020-01-13

Hi, the -f parameter don't show me all 1125 entries ! Only a lot of actually session.

I did SAM rules via CLI !!!! That's important !!

Yatiraj_Panchal · ‎2020-01-13

Hi,

One below command is there to see the IP address other than you mentioned.

fw sam_policy get

But, you can check all the IP addresses in SmartView Monitor -->Suspicious Activity Rules.

Thomas_Bauer · ‎2020-01-13

Hi , sorry but fw sam_policy get output is:

Get operation succeeded
no corresponding SAM policy requests

Thomas_Bauer · ‎2020-01-13

On SmartViewTracker I can see in a table following

..but how can I export or edit it for "CLI" Administration ? I have more than 1000 entries to check .

HeikoAnkenbrand · ‎2020-01-13

Hi @Thomas_Bauer

It is better - for performance reasons - to block this on SecureXL level.

The SecureXL penalty box is a mechanism that performs an early drop of packets arriving from suspected sources.

Why not sam policy rules?

The SAM policy rules consume some CPU resources on Security Gateway. We recommend to set an expiration that gives you time to investigate, but does not affect performance. The best practice is to keep only the SAM policy rules that you need. If you confirm that an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk. Or better use SecureXL penalty box from a performance point of view.

The purpose of this feature is to allow the Security Gateway to cope better under high load, possibly caused by a DoS/DDoS attack. These commands „fwaccel dos“ and „fwaccel6 dos“ control the Rate Limiting for DoS mitigation techniques in SecureXL on the local security gateway or cluster member.

In version R80.20, the penalty box feature is now supported in VSX mode and each virtual system can be independently configured for penalty box operation.

Attention!

In R80.20, all "sim erdos" commands are no longer supported. They have been replaced with equivalent commands which can be found under "fwaccel dos". Penalty box is configured separately for IPv4 and IPv6. IPv4 configuration is performed using the "fwaccel dos" command. IPv6 configuration is performed using the "fwaccel6 dos" command.

More read here: R80.x - Performance Tuning Tip - DDoS „fw sam“ vs. „fwaccel dos“

View solution in original post