This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Scott_Paisley
Advisor
‎2021-05-18 05:39 AM
Jump to solution

fw samp stopped working

I have a ticket open, but thought I would ask here also...

We have been using the ip blocklist feature from sk103154 across all our gateways for some time, and it was working great. Today I found it is not working as expected.

We run the script on the management station every day to enable the feature on the remote gateways, and we have a list of feeds that we use.

One of them is a custom list we maintain.

When I run the script, I get this response from the gateway

ip_block: Malicious IP blocking mechanism is ON

which is the expected result, but when I run the command

fw samp get | grep threatcloud_ip_block | grep 185.53.179.28

I get no result

the log on the gateway says this

Tue May 18 07:58:08 -04 2021 update_feeds
Tue May 18 07:58:08 -04 2021 updating https://xxxx/blacklist.txt
Tue May 18 07:58:08 -04 2021 Not using proxy
Tue May 18 07:58:09 -04 2021 LAST_UPDATE = Last-Modified:Tue18May202111:28:55GMT
Tue May 18 07:58:09 -04 2021 last_update new = Last-Modified:Tue18May202111:28:55GMT
Tue May 18 07:58:09 -04 2021 last_update old = Last-Modified:Tue18May202111:28:55GMT
Tue May 18 07:58:09 -04 2021 old_timeout = 1621337889
Tue May 18 07:58:09 -04 2021 new_timeout_sec = 1621339089
Tue May 18 07:58:09 -04 2021 file name = /opt/CPsuite-R80.40/fw1/database/httpsxxxxblacklisttxt
Tue May 18 07:58:09 -04 2021 last_update_delta = 1260
Tue May 18 07:58:09 -04 2021 samp_rule_timeout = 3600
Tue May 18 07:58:09 -04 2021 samp_delta = 2400
Tue May 18 07:58:09 -04 2021 https://xxxx/blacklist.txt: feed is up to date

and if I CAT the file I see this

add -a d -l r -t 3600 -c threatcloud_ip_block quota service any source range:45.61.138.171 pkt-rate 0
add -a d -l r -t 3600 -c threatcloud_ip_block quota service any source range:45.84.0.127 pkt-rate 0
add -a d -l r -t 3600 -c threatcloud_ip_block quota service any source range:212.109.221.205 pkt-rate 0
add -a d -l r -t 3600 -c threatcloud_ip_block quota service any source range:185.243.214.107 pkt-rate 0
add -a d -l r -t 3600 -c threatcloud_ip_block quota service any source range:104.247.81.52 pkt-rate 0
add -a d -l r -t 3600 -c threatcloud_ip_block quota service any source range:99.83.154.118 pkt-rate 0
add -a d -l r -t 3600 -c threatcloud_ip_block quota service any source range:185.53.177.31 pkt-rate 0
add -a d -l r -t 3600 -c threatcloud_ip_block quota service any source range:185.53.178.30 pkt-rate 0
add -a d -l r -t 3600 -c threatcloud_ip_block quota service any source range:185.53.179.28 pkt-rate 0

which includes the entry I am looking for

Also if I run the command locally, it works

fw samp add -a d -l r -t 3600 -c threatcloud_ip_block quota service any source range:185.53.179.28 pkt-rate 0

fw samp get | grep threatcloud_ip_block | grep 185.53.179.28

operation=add uid=<60a3b4ca,00000000,058ec3a1,000052d4> target=all timeout=3578 action=drop log=log comment=threatcloud_ip_block service=any source=range:185.53.179.28 pkt-rate=0 req_type=quota

Any ideas?

Thanks

1 Solution

Accepted Solutions
Scott_Paisley
Advisor
‎2021-06-03 06:15 AM
In response to Scott_Paisley
Jump to solution

This was resolved on a call with TAC and others this morning

The text file on the remote webserver had a space after one of the IP addresses, and this prevents it from working correctly.

Removing the space means that it is working again.

View solution in original post

10 Replies
PhoneBoy
Admin
Admin
‎2021-05-20 10:59 AM
Jump to solution

How many samp rules do you have?
Also what version/JHF level?

Scott_Paisley
Advisor
‎2021-05-21 07:19 AM
In response to PhoneBoy
Jump to solution

We have lots.

We run the script to tell the gateways to load the IP lists from website, and we list a number of websites. I have not counted how many IP addresses in total, but this used to be working as far as we could tell

R80.40, JHF102

Timothy_Hall
MVP Gold
MVP Gold
‎2021-05-21 08:31 AM
Jump to solution

What version of code are you using?  There have been many changes to these DoS tools in the recent releases, including the phasing out of fw samp in favor of fwaccel dos, which you should definitely migrate to if it is available in your release.

Are you including a flush=true argument with each individual fw samp command or at least with the last one in the script sequence?  That is required for the fw samp rules to actually take effect.  fwaccel dos does the equivalent of flush=true for every command issued by default.  Also be aware that by default DoS rules will only be applied to traffic traversing external interfaces unless you specify otherwise.   

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Scott_Paisley
Advisor
‎2021-05-21 08:36 AM
In response to Timothy_Hall
Jump to solution

R80.40

We are using the script from sk103154

I am not aware if it has been updated with the new commands

0 Kudos
PhoneBoy
Admin
Admin
‎2021-05-21 04:36 PM
In response to Scott_Paisley
Jump to solution

I would review the script you're using to verify it's using the newer commands as mentioned by @Timothy_Hall.
I believe the syntax is even similar, so it may be possible (with a couple changes) to change over to fwaccel dos.

0 Kudos
Scott_Paisley
Advisor
‎2021-05-22 01:53 AM
In response to PhoneBoy
Jump to solution

A search for fwaccel dos leads me to a CLI reference guide that describes this 

fwaccel [-i <SecureXL ID>] dos

blacklist <options>

but if I run that command on the gateway I get this

fwaccel dos blacklist -s
The deny list is empty
Note: this command is deprecated (see "fwaccel dos deny").

0 Kudos
rachelda
Employee Alumnus
Employee Alumnus
‎2021-05-24 02:57 AM
In response to Scott_Paisley
Jump to solution

Hi,

The cache file exists in fwdir\database\cache.bip contains last modified for each feed, GW should load new update every 20 min
In case of you have new IP, the new feed should load in ~20 Min 

If this was not the case please open a support ticket with your information.

 

Thanks

Rachel 

0 Kudos
Scott_Paisley
Advisor
‎2021-05-24 02:59 AM
In response to rachelda
Jump to solution

I have a ticket open

0 Kudos
Scott_Paisley
Advisor
‎2021-06-03 06:15 AM
In response to Scott_Paisley
Jump to solution

This was resolved on a call with TAC and others this morning

The text file on the remote webserver had a space after one of the IP addresses, and this prevents it from working correctly.

Removing the space means that it is working again.

Timothy_Hall
MVP Gold
MVP Gold
‎2021-06-03 07:05 AM
In response to Scott_Paisley
Jump to solution

Thanks for the follow-up, that is a subtle one for sure.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events