This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chris_75
Participant
‎2024-02-13 02:07 AM
Jump to solution

fwaccel6 dos rate command - IPv6

Hello,

In order to protect ourself from DOS traffic towards our DNS servers, we try to install command similar to the following on our checkpoint security gateway.

 

Security gateway cluster, R81.20.

 

fwaccel6 dos rate add -l a -a d -n "DNSintProtectRateIPv6" destination range:xyz1:620:40z:2:0:0:0:110-xyz1:620:40z:2:0:0:0:111 service 17/53 new-conn-rate 250 track source
ERROR: address is too long
ERROR: invalid begin
ERROR: Bad destination 'range:xyz1:620:40z:2:0:0:0:110-xyz1:620:40z:2:0:0:0:111'

 

We tried with various IPv6 notation, short notation, fully expanded notation, same result.

We tried also with the destination as cidr, with or without mask, same result.

In the documentation and in the forum we could not find examples with the correct notation.

Can we use this command for IPv6? Do you have anexample of a correct syntax for the IPv6 address? 

 

Thanks for you 

Christophe

 

 

0 Kudos
1 Solution

Accepted Solutions
Chris_75
Participant
‎2024-02-28 02:19 AM
In response to _Val_
Jump to solution

I could open a ticket, it looks like we need to put bracket for the ipv6 address, like:

Clish> fwaccel6 dos rate add -a d -l a destination range:[1:620:40:2:0:0:0:110]-[1:620:40:2:0:0:0:111] service 17/53 new-conn-rate 250 track source

It worked for me.

Thx

View solution in original post

0 Kudos
4 Replies
_Val_
Admin
Admin
‎2024-02-13 02:58 AM
Jump to solution

It is supposed to be a single IP for destination, not range. Please try adding two IP addresses consecutively with two different commands

0 Kudos
Chris_75
Participant
‎2024-02-13 06:40 AM
In response to _Val_
Jump to solution

Hi, thx for the suggestion.

Seems to behave in the same way, see below:

ngf01:mplane> fwaccel6 dos rate add -l a -a d destination range:xyz1:620:40z:2:0:0:0:110 service 17/53 new-conn-rate 250 track source
ERROR: address is too long
ERROR: invalid begin
ERROR: Bad destination 'range:xyz1:620:40z:2:0:0:0:110'
ngf01:mplane> fwaccel6 dos rate add -l a -a d destination range:xyz1:620:40z:2::110 service 17/53 new-conn-rate 250 track source
ERROR: address is too long
ERROR: invalid begin
ERROR: Bad destination 'range:xyz1:620:40z:2::110'
ngf01:mplane> fwaccel6 dos rate add -l a -a d destination cidr:xyz1:620:40z:2::110 service 17/53 new-conn-rate 250 track source
ERROR: address is too long
ERROR: invalid net
ERROR: Bad destination 'cidr:xyz1:620:40z:2::110'
ngf01:mplane>

0 Kudos
_Val_
Admin
Admin
‎2024-02-14 02:46 AM
In response to Chris_75
Jump to solution

Should be "fwaccel6 dos rate add -l a -a d destination xyz1:620:40z:2:0:0:0:110 service 17/53 new-conn-rate 250 track source"

Please stick to the documented syntax.

0 Kudos
Chris_75
Participant
‎2024-02-28 02:19 AM
In response to _Val_
Jump to solution

I could open a ticket, it looks like we need to put bracket for the ipv6 address, like:

Clish> fwaccel6 dos rate add -a d -l a destination range:[1:620:40:2:0:0:0:110]-[1:620:40:2:0:0:0:111] service 17/53 new-conn-rate 250 track source

It worked for me.

Thx

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events