This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Egenity
Contributor
‎2019-12-28 03:04 PM
Jump to solution

SecureXL DoS Rate Limiting (samp rules)

I have been working a lot with the rate limiting rules via the "fw samp" CLI interface, but unfortunately I cannot get the gateway to actually enforce them.  It appears SecureXL is very unhappy when I try to enable rate limiting:

[Expert@PROD-FW02a:0]# fwaccel dos config set --enable-rate-limit
ERROR: No rate limiting policy is installed, can't enable.

What exactly is the "rate limiting policy" it is referring to?  

I have dug fairly deep in documentation, sks, etc. and cannot figure out what triggers the rate limiting capabilities of SecureXL to turn on, based on policy settings.  I also thought maybe enabling QoS blade and the QoS policy component would trigger things, but it had no effect on things.

Of course, this same status is reflected when you query the configuration (fwaccel dos config get):

rate limit: disabled (without policy)
pbox: disabled
blacklists: disabled
drop frags: disabled
drop opts: disabledfwacc
internal: disabled
monitor: disabled
log drops: enabled
log pbox: enabled
notif rate: 100 notifications/second
pbox rate: 500 packets/second
pbox tmo: 180 seconds

The gateways are R80.30 5800 appliances.

 


→ CCSE, CCTE
0 Kudos
36 Replies
Luis_Miguel_Mig
Advisor
‎2021-09-20 03:51 AM
In response to Luis_Miguel_Mig
Jump to solution

For same reason if you create a widget with the field "type", it doesn't include the clusterxl dos rate-limit logs in their statistics.
You can filter the logs by type:alert in smartconsole logs tab, but the widget doesn't show this information

0 Kudos
Luis_Miguel_Mig
Advisor
‎2021-10-05 07:29 AM
In response to Luis_Miguel_Mig
Jump to solution

One more thing about secuxl ddos, it would be great to include it in the gaia api/ansible, wouldn't it?

0 Kudos
_Val_
Admin
Admin
‎2021-10-05 07:40 AM
In response to Luis_Miguel_Mig
Jump to solution

It's debatable. This is something way too easy to abuse and hurt production traffic if any admin mistakes are made.

0 Kudos
Luis_Miguel_Mig
Advisor
‎2021-10-05 08:00 AM
In response to _Val_
Jump to solution

I think that the  securexl ddos rate-limit feature is quite powerful to control for example the number of tcp sessions to specific hosts. I think that this feature and its administration would benefit if it was included in smartconsole + gaia or the mgmt api.

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2022-06-06 02:24 AM
In response to Luis_Miguel_Mig
Jump to solution

<*,*,*,*> is a great trick

so, if i understand well, this will show drop for DoS Rule but also for pbox, right?

0 Kudos
Eric_Dale
Employee
Employee
‎2022-06-06 05:49 AM
In response to CheckPointerXL
Jump to solution

I believe that is correct.

CheckPointerXL
Advisor
Advisor
‎2022-06-06 06:03 AM
In response to Eric_Dale
Jump to solution

 

Hello Eric,

just realized that putting in smartlog "penalty box" i get right results:

Cattura.JPG

Cattura.JPG

 

So, it is not clear to me, why i'm getting this different result with <*,*,*,*> filter:

 

Cattura.JPG

but no policy are set :

 

Cattura.JPG

which policy/configurations is triggering last log ? Maybe the Deny List or synatk? the only other configs..

thanks !

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events