This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Lithin_Mathew
Contributor
‎2020-09-24 12:15 AM

Monitor-Only Mode in Rate Limiting for DDOS Prevention

We are currently planning to deploy DDOS Mitigation on our Checkpoint firewall using the below commands as per the SK: "fw samp" and "fwaccel dos" We are planning to apply it on our external interface for all the traffic coming from the internet. Currently the gateway is running R80.30 take 196

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

We need to know what are the parameters we need to make sure before deploying this in our production environment, as this should not impact our production traffic.

So First we will be deploying the Monitor-Only mode to understand the traffic patterns and make sure we are not blocking Genuine traffic, using the below command:

# Enable monitor-only mode

[Expert@HostName:0]# fwaccel dos config set --enable-monitor

Could you anyone provide the parameters Checkpoint would be using in Monitor Mode to detect if the traffic is a DOS traffic or not.

Because while creating the fw samp rule we are setting the parameters manually but in monitor mode there is no option to set the parameters, like below:

  • Add a rule with action=drop, log=record, service/protocol=any source IP=192.168.2.101, maximum packets-per-second=1000:

[Expert@HostName:0]# fw samp add -a d -l r quota service any source cidr:192.168.2.0/24 pkt-rate 1000 flush true

 

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2020-09-26 02:12 PM

My understanding is that monitor mode uses the rules you define but instead of dropping when they trigger, they are allowed but logged.
What precisely happens when you try to define rules like you describe in monitor mode?

0 Kudos
Lithin_Mathew
Contributor
‎2020-09-27 05:07 AM
In response to PhoneBoy

Hi @PhoneBoy , 

I have not yet tested this in my environment, because I am not sure about the impact it would have on the production traffic.

I was under the impression that if I create a Rate limiting policy with the "fw samp" command like below, Rate limiting would be activated on the checkpoint and it would  drop all the traffic that matched the below criteria, correct me if I am wrong.  

[Expert@HostName:0]# fw samp add -a d -l r quota service any source cidr:192.168.2.0/24 pkt-rate 1000 flush true

[Expert@HostName:0]# fw samp add quota flush true

Or should I run the below command to prevent the Rate limiting from taking effect:

# Disable rate limiting policy rules

[Expert@HostName:0]# fwaccel dos config set --disable-rate-limit

 

 

 

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-09-27 12:25 PM
In response to Lithin_Mathew

Assuming you enable monitor mode first, rate limiting will be "activated" but won't actually impact traffic.
You’ll just see logs of what would happen.

Lithin_Mathew
Contributor
‎2020-09-27 07:21 PM
In response to PhoneBoy

Got it @PhoneBoy , so I hope below are required steps I need to follow:

# Enable monitor-only mode

[Expert@HostName:0]# fwaccel dos config set --enable-monitor

# Enable logging

[Expert@HostName:0]# fwaccel dos config set --enable-log-drops

#Add a rule with action=drop, log=record, service/protocol=any source IP=192.168.2.101, maximum packets-per-second=1000

[Expert@HostName:0]# fw samp add -a d -l r quota service any source cidr:192.168.2.0/24 pkt-rate 1000 flush true

#Confirm the rule is in place

[Expert@HostName:0]# fw samp get

#Saving and Applying Changes to Policy Rules

[Expert@HostName:0]# fw samp add quota flush true

#Statistics and Monitoring

[Expert@HostName:0]# fwaccel dos stats get

After verifying the logs, when the DOS policy needs to be implemented :

# Disable monitor-only mode (this is the default)

[Expert@HostName:0]# fwaccel dos config set --disable-monitor

# Enable rate limiting policy rules (this is the default)

[Expert@HostName:0]# fwaccel dos config set --enable-rate-limit

 

Kindly confirm if the above steps are correct or is there anything I missed.

Also as per the SK in Applying changes section there is a point, "So, at reboot, either all the rules are installed, or no rules are installed (if no flush command was found)", what is a "no flush command" and where would it be used.

0 Kudos
Lithin_Mathew
Contributor
‎2020-09-29 08:22 AM
In response to Lithin_Mathew

Hi @PhoneBoy,

Could you confirm if the above mentioned steps are right, it would be greatly helpful.

Thanks in advance.

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-09-29 08:30 AM
In response to Lithin_Mathew

Steps look correct to me.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events