This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
skidsteerpilot
Participant
‎2022-09-08 01:10 PM

fwaccel dos deny logging

Hello,

R80.40 Take 158

We are beginning to experiment with 'fwaccel dos deny' for blocklists. We can see the dropped logs in the Manage server. They have "Comment: Deny list" and "Feature Name: DOS/Rate Limiting Deny list", but these fields don't seem to be discoverable via the search bar. Is there another way to search for traffic that has been blocked by the deny list?

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2022-09-08 01:19 PM

The relevant fields are not indexed, at least in R80.40.
Possible they are in R81.10.

In any case, if you're looking for recent drops, you can do something like the following: fw log -n | grep "Deny List"
This will show entries since Midnight local time (or since the last logswitch occurred, whichever comes first).

0 Kudos
Sorin_Gogean
Advisor
‎2022-09-09 03:59 AM
In response to PhoneBoy

hi,

for fwaccel logs, we're filtering for <*,*,*,*> .

This <*,*,*,*> equivales with the fwaccel rule ID <62c7ec1c,00000000,61fe040a,0000283e> , so you can filter for those specific ID's and find exactly DROPs generated by them.

As example:
Untitled.png

 

the only problem we're facing from logging point of view, is the fact that the rule ID changes with each restart - at/for each fwaccel rule implementation - therefore we have to use <*,*,*,*> .

 

enjoy,

PS: the <*,*,*,*> was recommended here or in an document, I can't find it right now.

 

0 Kudos
skidsteerpilot
Participant
‎2022-09-09 06:09 AM
In response to Sorin_Gogean

Thank you both for the assist. Unfortunately neither option seemed to provide any resolution. I will check with the support team to see if they have additional suggestions.

0 Kudos
Sorin_Gogean
Advisor
‎2022-09-09 09:17 AM
In response to skidsteerpilot

I don't think I follow, @PhoneBoy told you that those fields are not indexed, therefore they are not searchable, and I showed you how you can search specific fwaccel block rules, by searching for either <*,*,*,*> that equivales with the fwaccel rule ID <62c7ec1c,00000000,61fe040a,0000283e> so you can search for that rule ID too. 
searching by fwaccel rule ID will provide logs for that rule only - as you asked "Is there another way to search for traffic that has been blocked by the deny list?"

ty,

0 Kudos
skidsteerpilot
Participant
‎2022-09-09 10:19 AM
In response to Sorin_Gogean

Hello,

I tried the wildcard search you provided and the log search @PhoneBoy  suggested and neither returned results, hence my move to tac. Our logs do not show a rule id in the comment or any other field so possibly our setup is unique. Thank you for the suggestions though.

0 Kudos
Sorin_Gogean
Advisor
‎2022-09-11 08:17 AM
In response to skidsteerpilot

Understood, 

 

You can get the correct ID's with "fwaccel dos rate get" from the GW SSH console .

also I would make sure you have your fwaccel deny rules implemented and the log-in enabled for them (red lines).

just go over sk112454...

[Expert@Axxx-FW01:0]# fwaccel dos pbox -m

Penalty box monitor_only: "on"

[Expert@Axxx-FW01:0]# fwaccel dos config get

    rate limit: enabled (with policy)

    rule cache: enabled

          pbox: enabled

     deny list: enabled (with policy)

    drop frags: disabled

     drop opts: disabled

      internal: enabled

       monitor: disabled

     log drops: enabled

      log pbox: enabled

    notif rate: 100 notifications/second

     pbox rate: 500 packets/second

      pbox tmo: 180 seconds

[Expert@Axxx-FW01:0]#

 

enjoy,

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events