This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cyberluke365
Contributor
‎2024-04-18 01:49 PM

Strange behavior with fwaccel dos...

Greetings!

I'm noticing a strange behavior in our Security Gateways related to fwaccel dos after upgrading from R81.10.

Environment

  • 1 Management (virtual machine) - R81.20 Take 53
  • 2 Security Gateways - R81.20 Take 53

Assuming the enforcement on internal interfaces is disabled and the SecureXL Penalty Box is enabled.

fwaccel dos config get:

rate limit: enabled (without policy)
rule cache: enabled
pbox: enabled
deny list: enabled (with policy)
drop frags: disabled
drop opts: disabled
internal: disabled
monitor: disabled
log drops: enabled
log pbox: enabled
...

The strange behavior: after a while, the enforcement on internal interfaces becomes enabled WITHOUT DOING ANYTHING (internal: enabled). And then, I have to disable it again with fwaccel dos config set --disable-internal. It remains disabled for a while, but then, after a while it becomes enabled again.

Are you also experiencing the same "issue" ? Do you have any advice about the above ?

I also suppose the guide fwaccel dos config (R81.20 Performance Tuning Administration Guide) contains wrong information. On bottom of the article, it is reported:

CheckMates.png

$FWDIR/conf/fwaccel_dos_rate_on_install:

#!/bin/bash
#
# Automatically generated by fwaccel - DO NOT EDIT THIS FILE
rate.--set-enabled=1
global.--set-enforce-internal=0
pbox.--set-enabled=1
pbox.--set-log-reported=1
deny.--set-enabled=1
drop_frags.--set-enabled=0
drop_opts.--set-enabled=0
global.--set-monitor-only=0
rate.--set-rule-cache=1
global.--set-log-drops=1
...
deny.--set-name=
deny.--set-monitor-only=0
deny.--set-tcp-rst=0
pbox.--set-monitor-only=0
  1.  The format of the file fwaccel_dos_rate_on_install (R81.20) is pretty different by the format mentioned in the article
  2. It seems it is not necessary to modify the file fwaccel_dos_rate_on_install in R81.20 for making settings persistent: the file is modified every time the fwaccel dos config set... is launched; and also inside the file there is written "# Automatically generated by fwaccel - DO NOT EDIT THIS FILE"

- I already sent feedback to Check Point about these wrong information -

That's it. I hope someone could help me with first two questions.

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2024-04-18 02:50 PM

I suspect what you discovered about the configuration file is related to the problem you're having.
Which means a consult with TAC if you haven't already opened a case.

0 Kudos
cyberluke365
Contributor
‎2024-04-18 02:55 PM
In response to PhoneBoy

Hello @PhoneBoy ,
thank you for your reply. Nope, I didn't opened a case yet (but I'll do that).

What do you mean: the config. file fwaccel_dos_rate_on_install I have in R81.20 shouldn't be in that format (so the article is correct ?)  ...Or there is something wrong related to fwaccel dos and config. file in general, in R81.20 ?

Thank you,
Luca

0 Kudos
PhoneBoy
Admin
Admin
‎2024-04-18 02:58 PM
In response to cyberluke365

I assume it's related to whatever is auto-generating that configuration file.
Can you check the last modified date on that file and see if it tracks when you notice the issue occur?

0 Kudos
cyberluke365
Contributor
‎2024-04-18 03:21 PM
In response to PhoneBoy

Hello @PhoneBoy,

Enforcement on internal interfaces disabled:
-rwxr-x--- 1 **** **** 498 Apr 18 23:34 /opt/CPsuite-R81.20/fw1/conf/fwaccel_dos_rate_on_install

Enforcement on internal interfaces enabled:
-rwxr-x--- 1 **** **** 498 Apr 19 00:08 /opt/CPsuite-R81.20/fw1/conf/fwaccel_dos_rate_on_install

# more $FWDIR/conf/fwaccel_dos_rate_on_install

#!/bin/bash
#
# Automatically generated by fwaccel - DO NOT EDIT THIS FILE
rate.--set-enabled=1
global.--set-enforce-internal=1
pbox.--set-enabled=1
pbox.--set-log-reported=1
deny.--set-enabled=1
drop_frags.--set-enabled=0
drop_opts.--set-enabled=0
global.--set-monitor-only=0
rate.--set-rule-cache=1
global.--set-log-drops=1
...
deny.--set-name=
deny.--set-monitor-only=0
deny.--set-tcp-rst=0
pbox.--set-monitor-only=0

# fwaccel dos config get

rate limit: enabled (without policy)
rule cache: enabled
pbox: enabled
deny list: enabled (with policy)
drop frags: disabled
drop opts: disabled
internal: enabled
monitor: disabled
log drops: enabled
log pbox: enabled
...

Set back to disabled:

# fwaccel dos config set --disable-internal
Configuration saved to /opt/CPsuite-R81.20/fw1/conf/fwaccel_dos_rate_on_install

When the config. file changes (automatically) the output shows the change (of course).

It would be interesting to know what "global.--" prefix in config. file, means.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-04-18 08:28 PM
In response to cyberluke365

Sounds like a TAC case is in order

0 Kudos
cyberluke365
Contributor
‎2024-04-18 11:28 PM
In response to PhoneBoy

Case opened.

Let's see...

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2024-05-02 02:45 AM
In response to cyberluke365

did you check out this one https://support.checkpoint.com/results/sk/sk179706 ?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events