Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Egenity
Contributor
Jump to solution

SecureXL DoS Rate Limiting (samp rules)

I have been working a lot with the rate limiting rules via the "fw samp" CLI interface, but unfortunately I cannot get the gateway to actually enforce them.  It appears SecureXL is very unhappy when I try to enable rate limiting:

[Expert@PROD-FW02a:0]# fwaccel dos config set --enable-rate-limit
ERROR: No rate limiting policy is installed, can't enable.

What exactly is the "rate limiting policy" it is referring to?  

I have dug fairly deep in documentation, sks, etc. and cannot figure out what triggers the rate limiting capabilities of SecureXL to turn on, based on policy settings.  I also thought maybe enabling QoS blade and the QoS policy component would trigger things, but it had no effect on things.

Of course, this same status is reflected when you query the configuration (fwaccel dos config get):

rate limit: disabled (without policy)
pbox: disabled
blacklists: disabled
drop frags: disabled
drop opts: disabledfwacc
internal: disabled
monitor: disabled
log drops: enabled
log pbox: enabled
notif rate: 100 notifications/second
pbox rate: 500 packets/second
pbox tmo: 180 seconds

The gateways are R80.30 5800 appliances.

 


→ CCSE, CCTE
0 Kudos
36 Replies
Luis_Miguel_Mig
Advisor

For same reason if you create a widget with the field "type", it doesn't include the clusterxl dos rate-limit logs in their statistics.
You can filter the logs by type:alert in smartconsole logs tab, but the widget doesn't show this information

0 Kudos
Luis_Miguel_Mig
Advisor

One more thing about secuxl ddos, it would be great to include it in the gaia api/ansible, wouldn't it?

0 Kudos
_Val_
Admin
Admin

It's debatable. This is something way too easy to abuse and hurt production traffic if any admin mistakes are made.

0 Kudos
Luis_Miguel_Mig
Advisor

I think that the  securexl ddos rate-limit feature is quite powerful to control for example the number of tcp sessions to specific hosts. I think that this feature and its administration would benefit if it was included in smartconsole + gaia or the mgmt api.

0 Kudos
CheckPointerXL
Advisor

<*,*,*,*> is a great trick

so, if i understand well, this will show drop for DoS Rule but also for pbox, right?

0 Kudos
Eric_Dale
Employee
Employee

I believe that is correct.

CheckPointerXL
Advisor

 

Hello Eric,

just realized that putting in smartlog "penalty box" i get right results:

Cattura.JPG

Cattura.JPG

 

So, it is not clear to me, why i'm getting this different result with <*,*,*,*> filter:

 

Cattura.JPG

but no policy are set :

 

Cattura.JPG

which policy/configurations is triggering last log ? Maybe the Deny List or synatk? the only other configs..

thanks !

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events