Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HristoGrigorov

Drop Templates on SMB

So, why are SecureXL drop templates not available on SMB? Tech explanation preferred. Thank you.

11 Replies
PhoneBoy
Admin
Admin

I suspect it's due to the more limited resources (RAM in particular) on the SMB appliances.

That said sim dropcfg should be available, which is not quite the same thing, but gives you a way to drop specific traffic more efficiently.

0 Kudos
HristoGrigorov

Thank you Dameon. If I get it right this command kind of injects drop templates into SecureXL tables so end result is more or less the same.

0 Kudos
G_W_Albrecht
Legend
Legend

From my 730:

[Expert@seven-eleven]# sim dropcfg
Usage: sim dropcfg <options>

Options:
-l - show current configuration
-f <file> - set configuration file
-r - reset drop rules
-y - avoid confirmation
-h - this help message
-e - enforce on the external interface only
Configuration file:
The file should contain drop rules. One rule per line.
Each rule line must contain one or more of the following parameters:
src <source ip>/<subnet> - Source subnet/ip. Subnet is optional.
dst <destination ip>/<subnet> - Dest subnet/ip. Subnet is optional.
dport <destination port> - Dest port.
proto <ip protocol> - IP Protocol (eg. TCP=6,UDP=17,ICMP=1).
Examples:
src 1.1.1.1
dport 80 proto 6
src 1.1.1.0/24 dst 2.2.0.0/16 dport 53 proto 17
Notes:
* If subnet is not specified, a single ip is assumed
* Use '*' to specify 'any'. It's the same as not specifying the param
* You can add comment lines by using '#' at the beginning of the line
* Empty lines are ignored
[Expert@seven-eleven]# sim dropcfg -l
Drop DB is not configured
CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

And SecureXL penalty box mechanism:

[Expert@seven-eleven]# sim erdos

Usage: sim erdos <options>

-h                      - this help message

-x <0/1>                - enforce only on external interfaces

-v <0/1>                - enforce on VPN traffic

-m <0/1>                - monitor only

Penalty box:

-e <0/1>                - enable/disable

-t <seconds>            - time a host is penalized

-d <violations>         - rate of allowed violations per address

-l <0/1>                - log when a host is put in the penalty box

-k <0/1>                - log dropped packets

Misc:

-z                      - zap the statistics

-f <0/1>                - enable/disable drop all fragments

-o <0/1>                - enable/disable drop all IP options

CCSE CCTE CCSM SMB Specialist
0 Kudos
HristoGrigorov

Thanx for the info Günther. I have found two related SKs: sk67861 and sk74520.

Later one was especially nice. I tried to run this command that is mentioned in it:

cat /proc/ppk/erdos

And guess what... Appliance instantly rebooted Smiley Happy

There was this entry in /var/log/messages:

2018 Dec  4 11:41:06 RD6281 user.notice root: [!] Panic detected at , log archived to logs folder

What a surprise, haven't seen that before in similar cases. So I checked /logs folder and there was panic-1543916466.zip there. Inside there are two files dmesg-ramoops-0 and dmesg-ramoops-1 all with the same relevant entries:

<1>Unable to handle kernel paging request at virtual address 20202024
<1>pgd = ec3bd580
<1>[20202024] *pgd=53dc9003, *pmd=00000000
<0>Internal error: Oops: 206 [#1] SMP ARM

SMB is sometimes such fun to explore.... 

0 Kudos
PhoneBoy
Admin
Admin

SecureXL Penalty Box mechanism isn't supported on SMB--listed here:

Check Point R77.20.xx for 600 / 700 / 1100 / 1200R / 1400 / 910 Appliance Features and Known Limitat... 

0 Kudos
HristoGrigorov

I wonder why would drop templates require more memory. I mean what is significantly different compared to processing accept templates...

0 Kudos
G_W_Albrecht
Legend
Legend

We should accept that is not supported, as i wrote here: 

I would also not mess around with NAT Templates... Had autonomous reboots after enabling the kernel parameter

CCSE CCTE CCSM SMB Specialist
0 Kudos
HristoGrigorov

Frankly speaking, there is no need to support such features on SMB because as we all know it can stand any [D]DoS thrown at it.

But... Why do I have the feeling someone tried to implement it after all, did not succeed and just left it there?! Or just tried to see what will run stock from Gaia and what not... Hmm, reminds me of cpview utility that suddenly disappeared as unsupported in early builds.

Anyway, I think for a device that is apparently assigned the task to defend you in all possible ways, support for drop connections is very very important. After all, how much of the external traffic coming in is 'red'?

0 Kudos
G_W_Albrecht
Legend
Legend

This is a small business appliance with a (in comparison) low price tag that gives you a fair level of securitySmiley Happy. To replace SPLAT Embedded from the Safe@Office, CP has buildt GAiA Embedded and WebGUI, trying to have a subset of GAiA / CP SW functionality available on SMB devices. During firmware history, you were able to encounter leftovers from crond (now implemented), bootmenue diagnostics, cpview, a.o. showing decisions in the development process.

CCSE CCTE CCSM SMB Specialist
0 Kudos
HristoGrigorov

I am currently testing my own GeoIP protection based on sim dropcfg. So far, it works nice. No noticeable increase in memory or CPU consumption. I am blocking two regions that I won't mention here; only that the database has 7950 IPs at the moment.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events