Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Copper

Accelerated Drop Rules feature 'sim dropcfg'

Hi All,

On a R80.10 gateway with jumbo take 272 I am testing the Accelerated Drop Rules feature from sk67861. I have created a file with IP-addresses, but get an error when importing this file.

ioctl to the SecureXL device failed (rc=-1, errno=12)
ioctl failed

The file contains 6694 entries, so maybe this is above some kind of limit. So I created a file with only one IP-address and this seems to work:

[Expert@FW:0]# sim dropcfg -f test
Drop rules (Match after conn lookup):
Enforced on all interfaces
Source Destination DPort PR
------------------ ------------------ ----- ---
1.1.1.1/32 * * *

Are you sure you want to continue (Y/N) ?
y
drop entries configured successfully

But when I check to see if everything is OK, I get the following error:

[Expert@FW:0]# sim dropcfg -l
ioctl getdropcfg#1 failed

Has anyone used this function before with success? Does any one know what those errors mean? Is there a limit for the number of entries in the file?

Best regards, Martijn

 

 

 

0 Kudos
4 Replies
Highlighted
Admin
Admin

Looks like a known bug: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Even though your version is theoretically not listed you should get the TAC involved.
0 Kudos
Highlighted
Copper

Thanks.

TAC is involved, but can not tell me what the message means.
I hope to get an answer soon

0 Kudos
Highlighted

There are definitely length limits for various SecureXL blocking features, see this related thread:

https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/SecureXL-DoS-Rate-Limiting-samp-r...

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted
Copper

Hi All,

TAC advised us to use the 'fw samp batch' methode which we did and this was succesfull.

Regards,

Martijn.

0 Kudos