Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Doeschi
Contributor
Jump to solution

fw sam rule with src net / dst net / any port

Hi all,

I've been looking for a fw sam command to instantly block a source ip range to a destination ip range for any protocols /ports, but without any success. It's possible to do so using the legacy SmartView Monitor, but since this would be triggered from an external source, I'd like to use the "fw sam" command.

I already tried to use "fw sam subsrv" but as soon as I put ANY or ALL as port / protocol, the management server doesn't accept the command.

Any ideas on this matter?

Regards
Roger

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
I suspect the exact functionality you want will require an RFE and I recommend working with your local office on it.
My guess is that it will NOT be implemented in fw sam as that utilizes a legacy mechanism.

View solution in original post

12 Replies
PhoneBoy
Admin
Admin
There are alternate commands that do the same thing (fw samp, for instance).
They will most likely work better than fw Sam.
0 Kudos
Doeschi
Contributor

Hi Dameon

Fair enough, but so far, "fw sam" perfectly did the job by just adding the rules on the management (which enforces it on all gateways on that cma) not having to care about different polices on each firewall module. And the policy was very simple to read and maintain, so with a simple web GUI, our CERT team was able to quickly block some specific nasty connections.
Using the GUI in SmartView Monitor, you can add a rule with SrcNet/DstNet/AnyPort, I couldn't find the right syntax to do so using "fw sam" cli.

Regards
Roger

0 Kudos
G_W_Albrecht
Legend Legend
Legend

So you did follow sk112061: How to create and view Suspicious Activity Monitoring (SAM) Rules but it did not work ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Doeschi
Contributor

Hi Günther,

Well, there is no option to just provide SrcNet/DestNet and any port... or it just doesn't accept the parameters when using ANY or ALL for port and protocol with "fw sam subsrv".
But again, the GUI version *is* able to create such a rule, so I guess, there must be a hidden/undocumented switch.

Regards
Roger

0 Kudos
PhoneBoy
Admin
Admin
What SmartView Tracker is accessing is the underlying API, not using the CLI commands.

I don't believe the port/protocol parameters are actually required on fw sam...
0 Kudos
Doeschi
Contributor

Hi Dameon,

I'm sure, you meant SmartView Monitor. And, if there's a possibility to use the underlying API from the command line, I'd rather use that. 

To the "fw sam" command, the following example doesn't work at all: 

fw sam -t 600 -l nolog -j subsrv 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

 

PhoneBoy
Admin
Admin
You can block active connections from SmartView Tracker also 🙂
0 Kudos
Doeschi
Contributor
ok, but that doesn't help me at all 😉
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

The SecureXL penalty box is a mechanism that performs an early drop of packets arriving from suspected sources. This mechanism is supported starting in R75.40VS.

Why not sam policy rules?

The SAM policy rules consume some CPU resources on Security Gateway. We recommend to set an expiration that gives you time to investigate, but does not affect performance. The best practice is to keep only the SAM policy rules that you need. If you confirm that an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk. Or better use SecureXL penalty box from a performance point of view.

The purpose of this feature is to allow the Security Gateway to cope better under high load, possibly caused by a DoS/DDoS attack. These commands „fwaccel dos“ and „fwaccel6 dos“ control the Rate Limiting for DoS mitigation techniques in SecureXL on the local security gateway or cluster member.

In version R80.20, the penalty box feature is now supported in VSX mode and each virtual system can be independently configured for penalty box operation.

Attention!

In R80.20, all "sim erdos" commands are no longer supported. They have been replaced with equivalent commands which can be found under "fwaccel dos". Penalty box is configured separately for IPv4 and IPv6. IPv4 configuration is performed using the "fwaccel dos" command. IPv6 configuration is performed using the "fwaccel6 dos" command.

More read here:

R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Doeschi
Contributor

Hi Heiko

the SecureXL Penalty Box does not provide the flexability of block rules using "fw sam" (including logging, blocking only 1 specific Port, usable via SmartCenter/CMA, etc). I'm sure, blocking the rules in SecureXL is more performance efficient, but we don't have any performace issue and would like to have and use the full range of blocking options that "fw sam" provides.

So, unfortunately, I don't accept this as answer. But thanks for the input anyways.

Regards
Roger

 

 

0 Kudos
Doeschi
Contributor
Really?! Just re-mark two replies as "accepted solution", where one in fact is a question and the other doesn't solve the initial requirement? Are you so keen to get some "badges" to win the top contributor of the year?

I'd have accepted the answer "This option hasn't been implemented in 'fw sam' so far and has to be requested with an RFE." or even better the acutal solution in 'fw sam' as well as an equivalent alternative solution.
0 Kudos
PhoneBoy
Admin
Admin
I suspect the exact functionality you want will require an RFE and I recommend working with your local office on it.
My guess is that it will NOT be implemented in fw sam as that utilizes a legacy mechanism.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events