Hello,
For a while we had SmartEvents enabled and for certain "unwanted activities/traffic like scans or others" and we were triggering a block for 1 hour to 8 hours.
All was good for a while, until we noticed some "Failed to add the following dynamic (SAM) rule" in logs. While investigating we found that the SAM is somehow limited to 1000Kbyte, and in some situations we were filling that quickly.
So we were checking for a while and whenever we were seeing the "error" in logs we manually purged the SAM rules.
As this didn't pleased us, tedious process, we paused the SmartEvent .
Still we want to take this back, as it's adding some extra protection in some cases, nowadays is more like a-must-have 😊 .
So we looked into a way to get that activated again, and we sketched a process, to get the SmartEvent event-data being sent via a script to a server, where we extract the fault IP's and feed them into an Generic DataCenter Object (this was funny to implement - I'll have another topic on it) and use the content into a FWL rule that blocks those IP's . We did this in order to have same "automation" like with SAM rules, and not needing to intervene too much on the policies/rules .
Is this a correct approach ?
If anyone can enlighten us on the SAM rules limitation, and if there is another way we can address SmartEvents actions, would appreciate.
Thank you,