- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hi all,
I've been looking for a fw sam command to instantly block a source ip range to a destination ip range for any protocols /ports, but without any success. It's possible to do so using the legacy SmartView Monitor, but since this would be triggered from an external source, I'd like to use the "fw sam" command.
I already tried to use "fw sam subsrv" but as soon as I put ANY or ALL as port / protocol, the management server doesn't accept the command.
Any ideas on this matter?
Regards
Roger
Hi Dameon
Fair enough, but so far, "fw sam" perfectly did the job by just adding the rules on the management (which enforces it on all gateways on that cma) not having to care about different polices on each firewall module. And the policy was very simple to read and maintain, so with a simple web GUI, our CERT team was able to quickly block some specific nasty connections.
Using the GUI in SmartView Monitor, you can add a rule with SrcNet/DstNet/AnyPort, I couldn't find the right syntax to do so using "fw sam" cli.
Regards
Roger
So you did follow sk112061: How to create and view Suspicious Activity Monitoring (SAM) Rules but it did not work ?
Hi Günther,
Well, there is no option to just provide SrcNet/DestNet and any port... or it just doesn't accept the parameters when using ANY or ALL for port and protocol with "fw sam subsrv".
But again, the GUI version *is* able to create such a rule, so I guess, there must be a hidden/undocumented switch.
Regards
Roger
Hi Dameon,
I'm sure, you meant SmartView Monitor. And, if there's a possibility to use the underlying API from the command line, I'd rather use that.
To the "fw sam" command, the following example doesn't work at all:
fw sam -t 600 -l nolog -j subsrv 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0
The SecureXL penalty box is a mechanism that performs an early drop of packets arriving from suspected sources. This mechanism is supported starting in R75.40VS.
Why not sam policy rules?
The SAM policy rules consume some CPU resources on Security Gateway. We recommend to set an expiration that gives you time to investigate, but does not affect performance. The best practice is to keep only the SAM policy rules that you need. If you confirm that an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk. Or better use SecureXL penalty box from a performance point of view.
The purpose of this feature is to allow the Security Gateway to cope better under high load, possibly caused by a DoS/DDoS attack. These commands „fwaccel dos“ and „fwaccel6 dos“ control the Rate Limiting for DoS mitigation techniques in SecureXL on the local security gateway or cluster member.
In version R80.20, the penalty box feature is now supported in VSX mode and each virtual system can be independently configured for penalty box operation.
Attention!
In R80.20, all "sim erdos" commands are no longer supported. They have been replaced with equivalent commands which can be found under "fwaccel dos". Penalty box is configured separately for IPv4 and IPv6. IPv4 configuration is performed using the "fwaccel dos" command. IPv6 configuration is performed using the "fwaccel6 dos" command.
More read here:
R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“
Hi Heiko
the SecureXL Penalty Box does not provide the flexability of block rules using "fw sam" (including logging, blocking only 1 specific Port, usable via SmartCenter/CMA, etc). I'm sure, blocking the rules in SecureXL is more performance efficient, but we don't have any performace issue and would like to have and use the full range of blocking options that "fw sam" provides.
So, unfortunately, I don't accept this as answer. But thanks for the input anyways.
Regards
Roger
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
24 | |
16 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 | |
3 | |
2 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY