Solved: Re: fw sam rule with src net / dst net / any port

Doeschi · ‎2019-09-12

Hi all,

I've been looking for a fw sam command to instantly block a source ip range to a destination ip range for any protocols /ports, but without any success. It's possible to do so using the legacy SmartView Monitor, but since this would be triggered from an external source, I'd like to use the "fw sam" command.

I already tried to use "fw sam subsrv" but as soon as I put ANY or ALL as port / protocol, the management server doesn't accept the command.

Any ideas on this matter?

Regards
Roger

PhoneBoy · ‎2019-09-18

I suspect the exact functionality you want will require an RFE and I recommend working with your local office on it.
My guess is that it will NOT be implemented in fw sam as that utilizes a legacy mechanism.

View solution in original post

PhoneBoy · ‎2019-09-12

There are alternate commands that do the same thing (fw samp, for instance).
They will most likely work better than fw Sam.

Doeschi · ‎2019-09-13

Hi Dameon

Fair enough, but so far, "fw sam" perfectly did the job by just adding the rules on the management (which enforces it on all gateways on that cma) not having to care about different polices on each firewall module. And the policy was very simple to read and maintain, so with a simple web GUI, our CERT team was able to quickly block some specific nasty connections.
Using the GUI in SmartView Monitor, you can add a rule with SrcNet/DstNet/AnyPort, I couldn't find the right syntax to do so using "fw sam" cli.

Regards
Roger

G_W_Albrecht · ‎2019-09-13

So you did follow sk112061: How to create and view Suspicious Activity Monitoring (SAM) Rules but it did not work ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Doeschi · ‎2019-09-13

Hi Günther,

Well, there is no option to just provide SrcNet/DestNet and any port... or it just doesn't accept the parameters when using ANY or ALL for port and protocol with "fw sam subsrv".
But again, the GUI version *is* able to create such a rule, so I guess, there must be a hidden/undocumented switch.

Regards
Roger

PhoneBoy · ‎2019-09-13

What SmartView Tracker is accessing is the underlying API, not using the CLI commands.

I don't believe the port/protocol parameters are actually required on fw sam...

Doeschi · ‎2019-09-16

Hi Dameon,

I'm sure, you meant SmartView Monitor. And, if there's a possibility to use the underlying API from the command line, I'd rather use that.

To the "fw sam" command, the following example doesn't work at all:

fw sam -t 600 -l nolog -j subsrv 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

PhoneBoy · ‎2019-09-16

You can block active connections from SmartView Tracker also 🙂

Doeschi · ‎2019-09-16

ok, but that doesn't help me at all 😉

HeikoAnkenbrand · ‎2019-09-16

The SecureXL penalty box is a mechanism that performs an early drop of packets arriving from suspected sources. This mechanism is supported starting in R75.40VS.

Why not sam policy rules?

The SAM policy rules consume some CPU resources on Security Gateway. We recommend to set an expiration that gives you time to investigate, but does not affect performance. The best practice is to keep only the SAM policy rules that you need. If you confirm that an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk. Or better use SecureXL penalty box from a performance point of view.

The purpose of this feature is to allow the Security Gateway to cope better under high load, possibly caused by a DoS/DDoS attack. These commands „fwaccel dos“ and „fwaccel6 dos“ control the Rate Limiting for DoS mitigation techniques in SecureXL on the local security gateway or cluster member.

In version R80.20, the penalty box feature is now supported in VSX mode and each virtual system can be independently configured for penalty box operation.

Attention!

In R80.20, all "sim erdos" commands are no longer supported. They have been replaced with equivalent commands which can be found under "fwaccel dos". Penalty box is configured separately for IPv4 and IPv6. IPv4 configuration is performed using the "fwaccel dos" command. IPv6 configuration is performed using the "fwaccel6 dos" command.

More read here:

R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Doeschi · ‎2019-09-17

Hi Heiko

the SecureXL Penalty Box does not provide the flexability of block rules using "fw sam" (including logging, blocking only 1 specific Port, usable via SmartCenter/CMA, etc). I'm sure, blocking the rules in SecureXL is more performance efficient, but we don't have any performace issue and would like to have and use the full range of blocking options that "fw sam" provides.

So, unfortunately, I don't accept this as answer. But thanks for the input anyways.

Regards
Roger

Doeschi · ‎2019-09-18

Really?! Just re-mark two replies as "accepted solution", where one in fact is a question and the other doesn't solve the initial requirement? Are you so keen to get some "badges" to win the top contributor of the year?

I'd have accepted the answer "This option hasn't been implemented in 'fw sam' so far and has to be requested with an RFE." or even better the acutal solution in 'fw sam' as well as an equivalent alternative solution.

PhoneBoy · ‎2019-09-18

I suspect the exact functionality you want will require an RFE and I recommend working with your local office on it.
My guess is that it will NOT be implemented in fw sam as that utilizes a legacy mechanism.

Are you a member of CheckMates?

fw sam rule with src net / dst net / any port