This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Martijn
Advisor
‎2020-04-07 02:28 AM

Accelerated Drop Rules feature 'sim dropcfg'

Hi All,

On a R80.10 gateway with jumbo take 272 I am testing the Accelerated Drop Rules feature from sk67861. I have created a file with IP-addresses, but get an error when importing this file.

ioctl to the SecureXL device failed (rc=-1, errno=12)
ioctl failed

The file contains 6694 entries, so maybe this is above some kind of limit. So I created a file with only one IP-address and this seems to work:

[Expert@FW:0]# sim dropcfg -f test
Drop rules (Match after conn lookup):
Enforced on all interfaces
Source Destination DPort PR
------------------ ------------------ ----- ---
1.1.1.1/32 * * *

Are you sure you want to continue (Y/N) ?
y
drop entries configured successfully

But when I check to see if everything is OK, I get the following error:

[Expert@FW:0]# sim dropcfg -l
ioctl getdropcfg#1 failed

Has anyone used this function before with success? Does any one know what those errors mean? Is there a limit for the number of entries in the file?

Best regards, Martijn

 

 

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2020-04-07 05:19 PM

Looks like a known bug: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Even though your version is theoretically not listed you should get the TAC involved.
0 Kudos
Martijn
Advisor
‎2020-04-08 05:56 AM
In response to PhoneBoy

Thanks.

TAC is involved, but can not tell me what the message means.
I hope to get an answer soon

0 Kudos
Timothy_Hall
Champion
Champion
‎2020-04-08 08:11 AM
In response to Martijn

There are definitely length limits for various SecureXL blocking features, see this related thread:

https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/SecureXL-DoS-Rate-Limiting-samp-r...

Updated 2023 IPS/AV/ABOT R81.20 Course now
available at maxpowerfirewalls.com
0 Kudos
Martijn
Advisor
‎2020-04-17 01:26 AM

Hi All,

TAC advised us to use the 'fw samp batch' methode which we did and this was succesfull.

Regards,

Martijn.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫