This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
minhhaivietnam
Collaborator
‎2019-10-24 11:58 PM
Jump to solution

SecureXL qouta violatation

Hello Mates,

Today my website experimented a DDOS attack. I use R80.10 firewall.

When search on smartlog, I see that CP had blocked Malicious IPs but I dont know why CP also blocked almost normal user IPs from internet who normal access to my website.

The log is below:

app1.png

(P/S: I do not use Network quota of IPS blade)

 

Please help to explain!!!

0 Kudos
1 Solution

Accepted Solutions
minhhaivietnam
Collaborator
‎2019-10-28 12:39 AM
In response to PhoneBoy
Jump to solution

Thank phone boy,

After I issue command : fw samp del "uuid" ; the samp rule STILL has effect. Then I search on below link; they said we need more command to actual delete samp rule:

fw samp add -t 2 quota flush true (I did and now actually deleted samp rule)

Link : https://sc1.checkpoint.com/documents/R77/CP_R77_SecurityGatewayTech_WebAdmin/96330.htm

 

P/S : I am still looking for command to limit number of connections for EACH IP client to connect to my website

Thanks!

 

View solution in original post

0 Kudos
8 Replies
Benedikt_Weissl
Advisor
‎2019-10-25 12:47 AM
Jump to solution

Have a look at sk103154 and sk112454. Did you implement rate limiting or custom IP feeds?
0 Kudos
minhhaivietnam
Collaborator
‎2019-10-25 12:56 AM
In response to Benedikt_Weissl
Jump to solution

Hi,

 Also in my case, CP block almost all normal IP, which access my website, not only some known malicious IPs as in sk103154.

I dont use rate limit connection :

[Expert@DC-Internet-Fw-01:0]# fw samp get
Get operation succeeded
no corresponding SAM policy requests
[Expert@DC-Internet-Fw-01:0]#

 

After I manual blocked malicious IPs from DDOS by adding rule in rulebase, the internet users can access my website normally

 

0 Kudos
Martin_Valenta
Advisor
‎2019-10-25 12:52 AM
Jump to solution

what output you see when run "fw samp get"
0 Kudos
minhhaivietnam
Collaborator
‎2019-10-25 12:57 AM
In response to Martin_Valenta
Jump to solution

Hi,

The output here

[Expert@DC-Internet-Fw-01:0]# fw samp get
Get operation succeeded
no corresponding SAM policy requests
[Expert@DC-Internet-Fw-01:0]#

Before the dropping happen, I issue command:

fw samp add -a d -l r quota service 6/443 source any destination cidr:<MY_WEBSITE_IP> concurrent-conns 50 flush true

but I deleted it right after with "fw samp del "uuid"

So, i dont know if this command has still have effect?

 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-10-26 05:24 PM
In response to minhhaivietnam
Jump to solution

The above command would cause the log you mentioned.
It would also apply for ALL traffic to your webserver, even if it was from a trusted IP.
Are those logs still generated from the time AFTER you deleted the samp rule?
0 Kudos
minhhaivietnam
Collaborator
‎2019-10-28 12:39 AM
In response to PhoneBoy
Jump to solution

Thank phone boy,

After I issue command : fw samp del "uuid" ; the samp rule STILL has effect. Then I search on below link; they said we need more command to actual delete samp rule:

fw samp add -t 2 quota flush true (I did and now actually deleted samp rule)

Link : https://sc1.checkpoint.com/documents/R77/CP_R77_SecurityGatewayTech_WebAdmin/96330.htm

 

P/S : I am still looking for command to limit number of connections for EACH IP client to connect to my website

Thanks!

 

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2019-10-28 05:42 AM
In response to minhhaivietnam
Jump to solution

I'm pretty sure you cannot limit the number of connections to a destination IP address individually by unique source address in a single rule with fw samp in R80.10 and earlier.  Doesn't look possible in R80.20+ either.  The best you could do is specify multiple rules with different ranges or networks of source IPs and have a concurrent connection limit for each of those individual rules matching the same destination.  The SAM rule matching here is relatively simple, and doesn't really track stateful elements like the number of concurrent connections to a destination by individual source address.

 

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization
0 Kudos
PhoneBoy
Admin
Admin
‎2019-10-31 08:06 AM
In response to minhhaivietnam
Jump to solution

I believe you can pass "track source" as a parameter to the command.
This should track per source IP versus per rule.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events