CPX 360 Wrap-Up
20th April
Check Point
Knowledge Nuggets
As the Cyber World Turns:
A Strategy to Increase Security Efficiency
The New Era of
Email Security
Check Point Harmony
An In-Depth Look
1. Where does the Suspicious Activity Monitoring Module comes in to picture in the packet flow diagram of Gaia R80.30?
2. How is the packet analysed & blocked based on the SAM Rules?
3. How will the gateways get updated to block the suspicious packet, once the SAM rules are specified in the Smart Console ?
Please explain.. 🙂
Timothy_Hall
Based on my experience the enforcement of SAM rules is very early in the F2F path, right around the antispoofing and Geo Policy checks and long before any policy layer lookups commence.
SAM rules can specify the typical "5-tuple" matching criteria such as src IP, dst IP, src port (I think), dst port and IP protocol. SAM rules long predate APCL, IA, and many other newer features so SAM rules cannot leverage identities or applications.
The update on the gateway when a SAM rule is applied is immediate via service 18183 (FW1_sam). The whole SAM rule thing (fw sam) is a holdover from the Intrusion Detection System (IDS) days, where an IDS was not inline and could not actively block threats. However through a process called "Intruder Shunning", the IDS could contact the firewall and tell it to block all traffic from an attacking IP address for a certain length of time. The various user interfaces into adding Suspicious Activity Rules is just performing Intruder Shunning manually.
Thanks for your reply..
Is there a diagram or any 'fw ctl chain' output representing the enforcement of SAM rules and anti-spoofing?
Because i am not able to find any anti-spoofing or SAM rules in the R80.x Security Gateway Architecture (Logical Packet Flow) diagram mentioned in the below links :
_Val_
It is in the slow path / FW Policy. SAM rules are enforced on top of everything else.
Eric_Dale
Referring to R80.20 and newer, there are 3 closely related, but different mechanisms that are often referred to as “SAM” or “fw samp”:
Also, be aware of “fwaccel dos rate blacklist” which can block specific IP addresses more efficiently than any of the above mechanisms.
Timothy_Hall
> Suspicious Activity Monitor V2 (aka SAM Policy Editor): this is configured via the command line (“fw sam_policy”) and is also enforced by the firewall blade. See section 7 of sk112061.
I do not believe this statement is correct, fw samp and fw sam_policy appear to be the same thing and enforced by SecureXL, not the firewall blade. Please see the screenshot below which was taken on R80.30 Gaia 3.10 JHFA Take 111:
Eric_Dale
Hi,
fw samp and fw sam_policy are indeed interchangeable. However, fw_samp is intended to be used for DOS/Rate limiting and fw sam_policy is intended to be used for SAMv2. Notice the different help text output for the "add" command:
[Expert@edale-b1:0]# fw samp add
add: subcommand is missing
NAME: fw samp add - add a new DOS/Rate Limiting policy rule
USAGE:
fw samp add [-t <timeout>] {[-a <d|n|b>]} [-l <r |a>] [-n <name>] [-c <comment>] [-o <originator>] quota <quota limits>
OPTIONS:
-t: expiration timeout (seconds)
-a: action: either d/rop, n/otify, or b/ypass
-l: log: either r/egular or a/lert
-n: name
-c: comment
-o: originator
[Expert@edale-b1:0]# fw sam_policy add
add: subcommand is missing
NAME: fw sam_policy add - add a new SAM policy rule
USAGE:
fw sam_policy add [-u] [-f <target>] [-t <timeout>] {[-a <d|r|n|b|q|i>]} [-l <r |a>] [-n <name>] [-c <comment>] [-o <originator>] ip <ip filter arguments>
The similarities in the command lines for SAM versus DOS/Rate limiting are unfortunate. This will be addressed starting with R80.40
Regarding SecureXL versus FW enforcement:
"fw samp ... quota" rules are DOS/Rate limiting rules and are enforced in SecureXL
"fw sam_policy ... ip" rules are SamV2 rules and are enforced in FW
_Val_
@Eric_Dale exactly right.
@Timothy_Hall enforcing early drops in SXL is rather risky, so it is limited for very specific functions, such as drop templates, where original drop decision is made by FW anyway.
SAM blocking rules are still in fw/UP kernel modules
Timothy_Hall
@Eric_Dale please clarify what kernel and code version you ran commands fw samp add and fw sam_policy add to get that usage output, on R80.30 Jumbo HFA Take 111 kernel versions 2.6.18 and 3.10 I am not seeing the same as what you posted. I see what I posted earlier and the two commands are exactly the same thing as far as I can tell. I get that "ip" is F2F path and "quota" is SXL path, but I don't understand where those usage statements you posted are coming from.
I'm suspecting you ran those commands on R80.40? Or perhaps a scalable platform?
Eric_Dale
Hi,
I tested with R80.20 + JHF T118. It looks like that help text is in R80.20 and R80.40, but missed R80.30. I'll see that it gets into R80.30 jumbo.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY
