Dropping instead of rejecting SAM rules created by...

Zocki82 · ‎2019-11-28

Hello all,

we are using SmartEvent in our R80.20 Jumbo Hotfix Take 118 enviroment for quite a while to track suspicious activities such as DoS attacks.

Like designed for DDoS attacks, we use the automatic reaction "block event activity", to block multiple sources for this type of event. Unfortunately, when such an event occures, the automatically created SAM rule in SmartviewMonitor only rejects the traffic. When manually creating a SAM rule, you can configure the type of action (Notify/Reject/Drop).

I couldn't find the option in the R80.20 Logging and Monitoring AdminGuide or anything else, to (globally) set this Action from SmartEvent created SAM rules from Reject to Drop. Does anyone have an idea?

Best regards
Oliver

Zolocofxp · ‎2023-10-26

This is a great question and sad no one got to answer it. I'm yet to find a workaround, I also want to drop instead of reject.

RuneSeeker · ‎2025-08-04

Hi everyone,

Even that this post is old I am hoping for an answer. Currently we are using SmartEvent R81.20, and we have the same issue.

We want to block source and drop the traffic, but automatically only it rejects it. Does anyone have an idea how to change reject to drop?

For security resons this is not effective for us.

RuneSeeker · ‎2025-08-05

Hi all,

I know this is an old post, but we have the same issue. We are using SmartEvent in our R81.20. For security reasons, we want to "Block Source" and Sam rules from Reject to Drop. Do we have any solution for this?

Lesley · ‎2025-08-05

samv2 can drop traffic instead of samv1 that only can do reject. BUT samv2 is for example not supported to block port scans. Example: https://support.checkpoint.com/results/sk/sk110873

If have seen cases that it is possible to run sam alert v1 drop with custom patch. The only way is to open TAC case.

So if you use samv1 alert it is NOT possible to drop without patch.

-------
Please press "Accept as Solution" if my post solved it 🙂

Amir_Senn · ‎2025-08-06

Maybe instead of using block event/source you can try to execute external script and create SAM rules manually:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topi...

Kind regards, Amir Senn

RuneSeeker · ‎2025-08-07

Dear @Amir_Senn and @the_rock

Thank you for your reply,
We do test the SAM rule option, I will update with our progress, negative or positive.

I was thinking, it will be great to implement a feature where a user is given the option to choose preferred action (e.g. reject, drop) when it create a new Object -> Automatic Reaction under SmartEvent.

the_rock · ‎2025-08-07

Yea, agree with that.

the_rock · ‎2025-08-06

You really got me curious now. I never really thought about this much, but will check it tomorrow in my R82 lab, as I have dedicated SE server.

Andy

the_rock · ‎2025-08-07

Just tested in R82 and it appears its the same. You can do it manually via SV monitor and it will show as drop action, as @Amir_Senn had stated.

Andy

Are you a member of CheckMates?

Dropping instead of rejecting SAM rules created by SmartEvent Automatic Block Reactions