Solved: penalty box on internal interfaces query

LazarusG · ‎2024-05-22

Hi

sk112241 and sk111881 both say;

"Rate Limiting rules for DoS Mitigation are defined to prevent External-to-Internal traffic. These rules will not enforce Internal-to-External or Internal-to-Internal connections."

and to run;

fwaccel dos config set --enable-internal

To change this as defined by topology.

Can I just confirm does this apply to the pbox feature too?

Thanks!

Timothy_Hall · ‎2024-05-22

Yes the --enable-internal option applies to all of SecureXL's DoS functions including the Penalty Box. However there are two things to be aware of when setting this option:

1) A corner case to be aware of when enabling the SecureXL penalty box involves selective synchronization of services in a ClusterXL cluster. Suppose the penalty box is configured with the default values on all members of the cluster, and TCP port 443 connections are NOT currently being synchronized between the cluster members to reduce sync interface traffic. When a failover occurs, huge amounts of TCP port 443 packets from the existing connections at the time of failover will be dropped as "out of state" by the newly-active gateway. In this case if more than 500 drops occur from a IP address within one second, that system will be penalty-boxed and no longer be able to send or receive traffic through the firewall for 3 minutes by default. This is a particular issue with Content Delivery Networks (CDNs) employed by popular websites on the Internet, and can also impact your critical internal servers with --enable-internal set.

2) The Penalty Box does have an allow list (whitelist) option via fwaccel dos allow, consider adding your critical internal server subnets proactively to avoid them getting accidentally penalty boxed which will cause major problems.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

Timothy_Hall · ‎2024-05-22

Yes the --enable-internal option applies to all of SecureXL's DoS functions including the Penalty Box. However there are two things to be aware of when setting this option:

1) A corner case to be aware of when enabling the SecureXL penalty box involves selective synchronization of services in a ClusterXL cluster. Suppose the penalty box is configured with the default values on all members of the cluster, and TCP port 443 connections are NOT currently being synchronized between the cluster members to reduce sync interface traffic. When a failover occurs, huge amounts of TCP port 443 packets from the existing connections at the time of failover will be dropped as "out of state" by the newly-active gateway. In this case if more than 500 drops occur from a IP address within one second, that system will be penalty-boxed and no longer be able to send or receive traffic through the firewall for 3 minutes by default. This is a particular issue with Content Delivery Networks (CDNs) employed by popular websites on the Internet, and can also impact your critical internal servers with --enable-internal set.

2) The Penalty Box does have an allow list (whitelist) option via fwaccel dos allow, consider adding your critical internal server subnets proactively to avoid them getting accidentally penalty boxed which will cause major problems.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

PhoneBoy · ‎2024-05-22

Believe so, yes.

LazarusG · ‎2024-05-28

Thank you.

Are you a member of CheckMates?

penalty box on internal interfaces query