This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Zocki82
Participant
‎2019-11-28 01:23 AM

Dropping instead of rejecting SAM rules created by SmartEvent Automatic Block Reactions

Hello all,

we are using SmartEvent in our R80.20 Jumbo Hotfix Take 118 enviroment for quite a while to track suspicious activities such as DoS attacks.

Like designed for DDoS attacks, we use the automatic reaction "block event activity", to block multiple sources for this type of event. Unfortunately, when such an event occures, the automatically created SAM rule in SmartviewMonitor only rejects the traffic. When manually creating a SAM rule, you can configure the type of action (Notify/Reject/Drop).

I couldn't find the option in the R80.20 Logging and Monitoring AdminGuide or anything else, to (globally) set this Action from SmartEvent created SAM rules from Reject to Drop. Does anyone have an idea?

Best regards
Oliver

0 Kudos
9 Replies
Zolocofxp
Collaborator
‎2023-10-26 08:43 AM

This is a great question and sad no one got to answer it. I'm yet to find a workaround, I also want to drop instead of reject.

0 Kudos
RuneSeeker
Participant
‎2025-08-04 11:21 PM

Hi everyone,

Even that this post is old I am hoping for an answer. Currently we are using SmartEvent R81.20, and we have the same issue. 

We want to block source and drop the traffic, but automatically only it rejects it. Does anyone have an idea how to change reject to drop?

For security resons this is not effective for us. 

0 Kudos
RuneSeeker
Participant
‎2025-08-05 12:54 AM

Hi all,

I know this is an old post, but we have the same issue. We are using SmartEvent in our R81.20. For security reasons, we want to "Block Source" and Sam rules from Reject to Drop. Do we have any solution for this?

 

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2025-08-05 01:57 AM
In response to RuneSeeker

samv2 can drop traffic instead of samv1 that only can do reject. BUT samv2 is for example not supported to block port scans. Example: https://support.checkpoint.com/results/sk/sk110873

If have seen cases that it is possible to run sam alert v1  drop with custom patch. The only way is to open TAC case. 

So if you use samv1 alert it is NOT possible to drop without patch. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2025-08-06 08:00 AM
In response to RuneSeeker

Maybe instead of using block event/source you can try to execute external script and create SAM rules manually:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topi...

 

Kind regards, Amir Senn
0 Kudos
RuneSeeker
Participant
‎2025-08-07 04:39 AM
In response to Amir_Senn

Dear @Amir_Senn and @the_rock 

Thank you for your reply,
We do test the SAM rule option, I will update with our progress, negative or positive.


I was thinking, it will be great to implement a feature where a user is given the option to choose preferred action (e.g. reject, drop) when it create a new Object -> Automatic Reaction under SmartEvent.

the_rock
MVP Diamond
MVP Diamond
‎2025-08-07 04:41 AM
In response to RuneSeeker

Yea, agree with that.

Best,
Andy
"Have a great day and if its not, change it"
the_rock
MVP Diamond
MVP Diamond
‎2025-08-06 04:34 PM
In response to RuneSeeker

You really got me curious now. I never really thought about this much, but will check it tomorrow in my R82 lab, as I have dedicated SE server.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-08-07 04:31 AM
In response to RuneSeeker

Just tested in R82 and it appears its the same. You can do it manually via SV monitor and it will show as drop action, as @Amir_Senn had stated.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events