This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Colin_Tucker
Participant
‎2020-03-29 12:32 AM

DoS Rate Limiting (samp rules) Logging

Hi Mates, 

I have configured some test Rate Limiting rules for an R80.20 VSX environment. The config was set with "monitor only" mode enabled first and the rules are in place; 

[Expert@fvsx_gateway:3]# fw samp get
operation=add uid=<5e7da64e,00000000,21c2f50a,000078b1> target=all timeout=indefinite action=drop log=log service=any source-negated=true source=cidr:172.16.0.0/12 pkt-rate=100 track=source flush=true req_type=quota

 

I can see that the rules are enabled and seem to be picking up traffic that should be dropped; 

[Expert@vsx_gateway:3]# fwaccel dos stats get
Firewall:
Number of Elements in Tables:
Penalty Box Violating IPs: 0 (size: 8192)
Blacklist Notification Handlers: 0 (size: 1024)
SXL Device 0:
Total Active Connections: 0
Total New Connections/Second: 0
Total Packets/Second: 41
Total Bytes/Second: 4077
Reasons Packets Dropped:
IP Fragment: 0
IP Option: 0
Penalty Box: 0
Blacklist: 0
Rate Limit: 0
Number of Elements in Tables:
Penalty Box: 0 (size: 0)
Non-Empty Blacklists: 0 (size: 0)
Blacklisted IPs: 0 (size: 0)
Rate Limit Matches: 154 (size: 262144)
Rate Limit Source Only Tracks: 94 (size: 262144)
Rate Limit Source and Service Tracks: 0 (size: 262144)

Are these violations also logged in SmartConsole Logs&Monitor?

I've checked against some of the source/dest addresses shown in the "dos_rate_matches" SecureXL table but I can't see anything that suggests that there would be a drop based on Rate Limiting. Has anyone got an example of one of these logs? 

0 Kudos
10 Replies
Colin_Tucker
Participant
‎2020-03-29 10:00 PM

Looks like the logs are being presented. I did some updates around actually installing the rules (using "w samp add -t 2 quota flush true") so that may have kicked them into life. They may also just have taken some time to get through to the Mgmt device.

 

rate_limit_rules_detected_smart_console_logs.PNG

 

I haven't seen an easy way to search for these ones yet. Free text doesn't seem to work for any of the text or UIDs for the DOS rules. I had to grab the IP out of the fwaccel table ("fwaccel tab -t dos_rate_matches -f") and then search in Logs&Monitor. 

 

Anyone found an easier way to monitor these?

0 Kudos
Chad_Stewart
Explorer
‎2021-03-24 10:18 AM
In response to Colin_Tucker

I would also like to know  if there is an easier way to search the logs for these results. Has anyone found another method?

0 Kudos
Luis_Miguel_Mig
Advisor
‎2021-08-06 08:40 AM
In response to Chad_Stewart

Same here. The feature works well but we are a bit blind if we can't filter/search the logs in smartconsole.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-08-08 09:00 PM
In response to Luis_Miguel_Mig

As that field is not indexed, you cannot search for these entries, unfortunately. 

0 Kudos
Luis_Miguel_Mig
Advisor
‎2021-08-09 01:42 AM
In response to PhoneBoy

Could it be indexed?

0 Kudos
PhoneBoy
Admin
Admin
‎2021-08-09 08:43 AM
In response to Luis_Miguel_Mig

Not without an Request for Enhancement.
Highly recommend working with your local Check Point office around this requirement.

0 Kudos
ChrisMartel
Employee
Employee
‎2021-09-07 07:59 AM
In response to Luis_Miguel_Mig

Hi Luis, try using the parameter "-l a" when creating the rate limiting rule. This will create an alert log in logs & monitor. You are then able to filter by "alerts" so it should be fairly easy to locate them unless you have a lot of other alert rules/logs being generated.

0 Kudos
ChrisMartel
Employee
Employee
‎2021-09-07 07:58 AM
In response to Chad_Stewart

Hey Chad, the best way I have figured out how to help with tracking the logs is to use the "-l a" parameter which creates an alert log in logs & monitor. You are then able to filter by "alerts" so it should be fairly easy to locate them unless you have a lot of other alert rules/logs being generated.

0 Kudos
Luis_Miguel_Mig
Advisor
‎2021-09-08 02:28 AM
In response to ChrisMartel

 I think it is mandatory to be able to to search by source and destination ip for troubleshooting purposes.

But in terms of monitoring we need to be able to identify this type of alerts. The best and easiest way I can think is with the comment and name that fwaccel dos allows you to set   with -c and -n. 
This way we could totally control the number of fwaccel dos, we could create graphs to track it, etc.

0 Kudos
Vladimir
Champion
Champion
‎2021-08-07 11:27 PM
In response to Colin_Tucker

I'd be interested to see how the SmartEvent DOS mitigation rules being created in term s of acceleration. I believe you can search them by "sam rule" free text search, but it will return all of those.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events