Hi @Timothy_Hall 

Thanks for your reply..

Is there a diagram or any 'fw ctl chain' output representing the enforcement of SAM rules and anti-spoofing?

Because i am not able to find any anti-spoofing or SAM rules in the R80.x Security Gateway Architecture (Logical Packet Flow) diagram mentioned in the below links :

https://community.checkpoint.com/t5/General-Topics/R80-x-Security-Gateway-Architecture-Logical-Packe...

https://community.checkpoint.com/t5/General-Topics/Security-Gateway-Packet-Flow-and-Acceleration-wit... 

It is in the slow path / FW Policy. SAM rules are enforced on top of everything else.

> Suspicious Activity Monitor V2 (aka SAM Policy Editor): this is configured via the command line (“fw sam_policy”) and is also enforced by the firewall blade. See section 7 of sk112061.

I do not believe this statement is correct, fw samp and fw sam_policy appear to be the same thing and enforced by SecureXL, not the firewall blade.  Please see the screenshot below which was taken on R80.30 Gaia 3.10 JHFA Take 111:

Hi,

fw samp and fw sam_policy are indeed interchangeable.  However, fw_samp is intended to be used for DOS/Rate limiting and fw sam_policy is intended to be used for SAMv2.   Notice the different help text output for the "add" command:

[Expert@edale-b1:0]# fw samp add
add: subcommand is missing
NAME: fw samp add - add a new DOS/Rate Limiting policy rule
USAGE:
fw samp add [-t <timeout>] {[-a <d|n|b>]} [-l <r |a>] [-n <name>] [-c <comment>] [-o <originator>] quota <quota limits>
OPTIONS:
-t: expiration timeout (seconds)
-a: action: either d/rop, n/otify, or b/ypass
-l: log: either r/egular or a/lert
-n: name
-c: comment
-o: originator

[Expert@edale-b1:0]# fw sam_policy add
add: subcommand is missing
NAME: fw sam_policy add - add a new SAM policy rule
USAGE:
fw sam_policy add [-u] [-f <target>] [-t <timeout>] {[-a <d|r|n|b|q|i>]} [-l <r |a>] [-n <name>] [-c <comment>] [-o <originator>] ip <ip filter arguments>

The similarities in the command lines for SAM versus DOS/Rate limiting are unfortunate.  This will be addressed starting with R80.40

Regarding SecureXL versus FW enforcement:

"fw samp ... quota" rules are DOS/Rate limiting rules and are enforced in SecureXL

"fw sam_policy ... ip" rules are SamV2 rules and are enforced in FW

@Eric_Dale exactly right.

@Timothy_Hall enforcing early drops in SXL is rather risky, so it is limited for very specific functions, such as drop templates, where original drop decision is made by FW anyway. 

SAM blocking rules are still in fw/UP kernel modules

@Eric_Dale please clarify what kernel and code version you ran commands fw samp add and fw sam_policy add to get that usage output, on R80.30 Jumbo HFA Take 111 kernel versions 2.6.18 and 3.10 I am not seeing the same as what you posted.  I see what I posted earlier and the two commands are exactly the same thing as far as I can tell.  I get that "ip" is F2F path and "quota" is SXL path, but I don't understand where those usage statements you posted are coming from.

I'm suspecting you ran those commands on R80.40?  Or perhaps a scalable platform?

Hi,

I tested with R80.20 + JHF T118.   It looks like that help text is in R80.20 and R80.40, but missed R80.30.   I'll see that it gets into R80.30 jumbo.