Re: fw sam syntax

mva · ‎2024-08-29

Hello mates!

We're testing smart event policy and faced next question. If we understood right, if host was blocked because of policy, it block with SAM (logs shows sam rules numbers). Now we're trying to find ways to unblock host before its timeout ends. If we're trying to use fw sam with flag -C and criteria src, we recieves output as from -help flag, and host still blocked. But, if we're using -D flag, all works properly.

For example

fw sam -v -s localhost -f GWIP -C src 1.1.1.1 - facing -help output

fw sam -D - everything correct, hosts unblocked.

Are we missing anything in first example? Tested both on 81.10 and 81.20 with last JHF takes

G_W_Albrecht · ‎2024-08-29

In https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_CLI_ReferenceGuide/Topics-CL... we read:

-C

Cancels the fw sam command to inhibit connections with the specified parameters.

Notes:

These connections are no longer inhibited (no longer rejected or dropped).
The command parameters must match the parameters in the original fw sam command, except for the -t <Timeout> parameter.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

mva · ‎2024-08-29

So, we need not only source, but also destination and all other params to unblock?

the_rock · ‎2024-08-29

I have a gut feeling its failing due to localhost. Let me see if I can test it in the lab.

Andy

Are you a member of CheckMates?

fw sam syntax