- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: fwaccel does not seems to be running on R81
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fwaccel does not seems to be running on R81
Hi Team,
It looks like fwaccel dos rate cidr rules does not seems to be running on firewall. I guess I configured those correctly but I see still traffic is being passed. Am I missing anything here?
Here is the rule
operation=add uid=<5feea76f,00000000,8805a8c0,000036f4> target=all timeout=1309 action=drop log=regular comment=isnti-threat-intel-block service=any source=cidr:30.40.50.0/24 pkt-rate=0
# fwaccel dos config get
rate limit: enabled (with policy)
rule cache: enabled
pbox: enabled
deny list: enabled (with policy)
drop frags: disabled
drop opts: disabled
internal: disabled
monitor: disabled
log drops: enabled
log pbox: enabled
notif rate: 100 notifications/second
pbox rate: 500 packets/second
pbox tmo: 180 seconds
So my source here is 30.40.50.104 and trying to reach to 192.168.5.129 which is behind 100.101.102.136 FW R81
Blason R
CCSA,CCSE,CCCS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it working if you add rule explicitly for 30.40.50.104 ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes it does with deny rule but not with dos rate rule
operation=add uid=<5feed217,00000000,8805a8c0,00007b70> target=all timeout=469 action=drop log=regular comment=Test service=any source=range:30.40.50.104 pkt-rate=0
Blason R
CCSA,CCSE,CCCS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looking at the output of "fwaccel dos config get" I see that enforcement for internal interfaces is disabled (which is the default behavior).
Is it possible that the traffic from 30.40.50.0/24 is arriving at an internal interface? sk112454 has details on this: look for the paragraph titled "Enable Enforcement for Internal Interfaces"
Also, I see you rule is configured to have a timeout. Note that the timeout is in seconds.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is not the case for sure. I confirmed that traffic is coming through external network. And yes even tried enabling the flag --enable-internal-network however even after that traffic was not getting blocked.
Is this a bug?
Blason R
CCSA,CCSE,CCCS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming your rule UID is "<5feea76f,00000000,8805a8c0,000036f4>", does fwaccel dos rate counters "<5feea76f,00000000,8805a8c0,000036f4>" return any data?
If not, then what happens if you try to run the command fwaccel_dos_rate_install in expert mode?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems like you created the rule using "fwaccel dos rate add". If you used "fw samp" to create the rule, then the problem may be that you need to perform a "flush true".
For reference, here's what I see when I create a similar rule (using fwaccel dos rate add) and then do watch -n .1 'fwaccel dos rate counters "<5ff335d1,00000000,335016ac,0000723b>"':
==================================================
Rule UID: <5ff335d1,00000000,335016ac,0000723b>
Policy: 2
FW Index: -1
SecureXL Index: 1
Timeout: unlimited
Max Concurrent Connections: unlimited
New Connection Rate: unlimited
Packet Rate: 0
Byte Rate: unlimited
Max Concurrent Connections Ratio: unlimited
New Connection Rate Ratio: unlimited
Packet Rate Ratio: unlimited
Byte Rate Ratio: unlimited
Action: drop
Log Type: regular
Concurrent Connections: 0
Connection Rate: 0
Packets: 5
Bytes: 490
Violated Limits: packets-per-second
==================================================
The "violated limits" line item should indicate that the rule is being violated, but only while packets are being sent from the blocked host.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
well @Eric_Dale this only happens with fwaccel dos and I am trying to achieve for networks since I am already using fwaccel dos deny for hosts.
Blason R
CCSA,CCSE,CCCS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let me try with counters and keep you posted.
Blason R
CCSA,CCSE,CCCS