This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Martijn
Advisor
Advisor
‎2020-04-07 02:28 AM

Accelerated Drop Rules feature 'sim dropcfg'

Hi All,

On a R80.10 gateway with jumbo take 272 I am testing the Accelerated Drop Rules feature from sk67861. I have created a file with IP-addresses, but get an error when importing this file.

ioctl to the SecureXL device failed (rc=-1, errno=12)
ioctl failed

The file contains 6694 entries, so maybe this is above some kind of limit. So I created a file with only one IP-address and this seems to work:

[Expert@FW:0]# sim dropcfg -f test
Drop rules (Match after conn lookup):
Enforced on all interfaces
Source Destination DPort PR
------------------ ------------------ ----- ---
1.1.1.1/32 * * *

Are you sure you want to continue (Y/N) ?
y
drop entries configured successfully

But when I check to see if everything is OK, I get the following error:

[Expert@FW:0]# sim dropcfg -l
ioctl getdropcfg#1 failed

Has anyone used this function before with success? Does any one know what those errors mean? Is there a limit for the number of entries in the file?

Best regards, Martijn

 

 

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2020-04-07 05:19 PM

Looks like a known bug: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Even though your version is theoretically not listed you should get the TAC involved.
0 Kudos
Martijn
Advisor
Advisor
‎2020-04-08 05:56 AM
In response to PhoneBoy

Thanks.

TAC is involved, but can not tell me what the message means.
I hope to get an answer soon

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2020-04-08 08:11 AM
In response to Martijn

There are definitely length limits for various SecureXL blocking features, see this related thread:

https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/SecureXL-DoS-Rate-Limiting-samp-r...

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Martijn
Advisor
Advisor
‎2020-04-17 01:26 AM

Hi All,

TAC advised us to use the 'fw samp batch' methode which we did and this was succesfull.

Regards,

Martijn.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events