Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sorin_Gogean
Advisor

SmartEvent block action hit SAM limitation

Hello,

 

For a while we had SmartEvents enabled and for certain "unwanted activities/traffic like scans or others" and we were triggering a block for 1 hour to 8 hours. 

All was good for a while, until we noticed some "Failed to add the following dynamic (SAM) rule" in logs. While investigating we found that the SAM is somehow limited to 1000Kbyte, and in some situations we were filling that quickly.

Untitled.png

 

So we were checking for a while and whenever we were seeing the "error" in logs we manually purged the SAM rules.

As this didn't pleased us, tedious process, we paused the SmartEvent .

 

Still we want to take this back, as it's adding some extra protection in some cases, nowadays is more like a-must-have 😊 .

 

So we looked into a way to get that activated again, and we sketched a process, to get the SmartEvent event-data being sent via a script to a server, where we extract the fault IP's and feed them into an Generic DataCenter Object (this was funny to implement - I'll have another topic on it) and use the content into a FWL rule that blocks those IP's . We did this in order to have same "automation" like with SAM rules, and not needing to intervene too much on the policies/rules .

Is this a correct approach ? 

 

If anyone can enlighten us on the SAM rules limitation, and if there is another way we can address SmartEvents actions, would appreciate.

 

Thank you,

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

SAM rules are a legacy mechanism that I'm sure has some lower limits to it than some of the newer mechanisms (fw samp) that perform a similar task.
What you're doing (piping into a Generic Datacenter object) is a clever way to solve the problem.

0 Kudos
Sorin_Gogean
Advisor

Thank you @PhoneBoy for confirming this.

Is there any plan to change SmartEvents and make is use "fw samp" for autoblocking ?

 

Ty,

0 Kudos
PhoneBoy
Admin
Admin

Pretty sure fw samp also has a (likely higher) limit, so not sure moving it to that mechanism is the right answer.
In any case, this probably requires an RFE to come up with the best approach.