So, why are SecureXL drop templates not available on SMB? Tech explanation preferred. Thank you.
I suspect it's due to the more limited resources (RAM in particular) on the SMB appliances.
That said sim dropcfg should be available, which is not quite the same thing, but gives you a way to drop specific traffic more efficiently.
Thank you Dameon. If I get it right this command kind of injects drop templates into SecureXL tables so end result is more or less the same.
From my 730:
[Expert@seven-eleven]# sim dropcfgUsage: sim dropcfg <options>
And SecureXL penalty box mechanism:
[Expert@seven-eleven]# sim erdos
Usage: sim erdos <options>
-h - this help message
-x <0/1> - enforce only on external interfaces
-v <0/1> - enforce on VPN traffic
-m <0/1> - monitor only
-e <0/1> - enable/disable
-t <seconds> - time a host is penalized
-d <violations> - rate of allowed violations per address
-l <0/1> - log when a host is put in the penalty box
-k <0/1> - log dropped packets
-z - zap the statistics
-f <0/1> - enable/disable drop all fragments
-o <0/1> - enable/disable drop all IP options
Thanx for the info Günther. I have found two related SKs: sk67861 and sk74520.
Later one was especially nice. I tried to run this command that is mentioned in it:
And guess what... Appliance instantly rebooted
There was this entry in /var/log/messages:
2018 Dec 4 11:41:06 RD6281 user.notice root: [!] Panic detected at , log archived to logs folder
What a surprise, haven't seen that before in similar cases. So I checked /logs folder and there was panic-1543916466.zip there. Inside there are two files dmesg-ramoops-0 and dmesg-ramoops-1 all with the same relevant entries:
<1>Unable to handle kernel paging request at virtual address 20202024<1>pgd = ec3bd580<1> *pgd=53dc9003, *pmd=00000000<0>Internal error: Oops: 206 [#1] SMP ARM
SMB is sometimes such fun to explore....
SecureXL Penalty Box mechanism isn't supported on SMB--listed here:
Check Point R77.20.xx for 600 / 700 / 1100 / 1200R / 1400 / 910 Appliance Features and Known Limitations
I wonder why would drop templates require more memory. I mean what is significantly different compared to processing accept templates...
We should accept that is not supported, as i wrote here:
I would also not mess around with NAT Templates... Had autonomous reboots after enabling the kernel parameter
Frankly speaking, there is no need to support such features on SMB because as we all know it can stand any [D]DoS thrown at it.
But... Why do I have the feeling someone tried to implement it after all, did not succeed and just left it there?! Or just tried to see what will run stock from Gaia and what not... Hmm, reminds me of cpview utility that suddenly disappeared as unsupported in early builds.
Anyway, I think for a device that is apparently assigned the task to defend you in all possible ways, support for drop connections is very very important. After all, how much of the external traffic coming in is 'red'?
This is a small business appliance with a (in comparison) low price tag that gives you a fair level of security. To replace SPLAT Embedded from the Safe@Office, CP has buildt GAiA Embedded and WebGUI, trying to have a subset of GAiA / CP SW functionality available on SMB devices. During firmware history, you were able to encounter leftovers from crond (now implemented), bootmenue diagnostics, cpview, a.o. showing decisions in the development process.
I am currently testing my own GeoIP protection based on sim dropcfg. So far, it works nice. No noticeable increase in memory or CPU consumption. I am blocking two regions that I won't mention here; only that the database has 7950 IPs at the moment.
Retrieving data ...