- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- How to exclude IP from SAM rules
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to exclude IP from SAM rules
Hello everybody,
Following a big outage we noticed that our main gateways had put their own public IP subnet in the SAM ruleset. How can I prevent this from happening? Is there any way to exclude a subnet from being monitored for suspicious activity?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would look at https://support.checkpoint.com/results/sk/sk112061
How to create and view Suspicious Activity Monitoring (SAM) Rules
Try to see if -b flag with IP of Security Gateway works.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree with @Tal_Paz-Fridman . I would double check what you have as per short video I uploaded.
Andy
- Chapters
- descriptions off, selected
- captions settings, opens captions settings dialog
- captions off, selected
This is a modal window.
Beginning of dialog window. Escape will cancel and close the window.
End of dialog window.
This is a modal window. This modal can be closed by pressing the Escape key or activating the close button.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as I know, there shouldn’t be anything automatically creating SAM rules against your gateway IP.
There is nothing preventing you from doing so via the fw sam command, however.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To prevent your main gateways from including their own public IP subnet in the SAM ruleset, you can exclude specific subnets from being monitored for suspicious activity by configuring exceptions in the SAM rules. Here's how you can do it:
-
Access the Security Management Server:
- Open SmartConsole and connect to your Security Management Server.
-
Navigate to SAM Settings:
- Go to "Logs & Monitor" and open the SmartView Monitor.
-
Open Suspicious Activity Rules:
- Click on the "Suspicious Activity Rules" icon in the toolbar to open the Enforced Suspicious Activity Rules window.
-
Add an Exception:
- Click on "Add" to create a new rule.
- In the "Block Suspicious Activity" window, specify the source and destination IP addresses or networks you want to exclude. Use the IP and subnet mask fields to define the subnet you wish to exclude.
-
Configure the Rule:
- Set the action to "Notify" instead of "Block" for the specific subnet you want to exclude.
- Set an expiration time for the rule to ensure it doesn't affect performance unnecessarily.
-
Enforce the Rule:
- Click "Enforce" to apply the rule to the selected Security Gateway(s)
