F2F Quota (asg f2fq, fwaccel f2fg stats)
Use these commands to show details of an F2F (Forward to Firewall) DDoS flood attack, and how the protection works to mitigate it. F2F detects traffic floods and intelligently prevents performance degradation on the 61000/41000 Security System. It assigns a high priority to known, important packets from Performance Pack and drops those suspected of being part of a DDoS attack.
Two examples of known F2F flood attacks are UDP floods and fragmentation attacks. These attacks cause excessive resource allocation when they try to put the packet fragments together.
Syntax
fwaccel f2fq stats [–v]
asg f2fq [-b <sgm_ids> ] [-6 | -4]
Parameter
|
Description
|
-v
|
Shows detailed (verbose) statistics.
|
-b <sgm_ids>
|
Works with SGMs and/or Chassis as specified by <sgm_ids>.
The <sgm_ids> can be:
- No <sgm
_ids > specified or all shows all SGMs and Chassis - One SGM
- A comma-separated list of SGMs (
1_1,1_4 ) - A range of SGMs (
1_1-1_4 ) - One Chassis (
Chassis1 or Chassis2 ) - The active Chassis (
chassis_active )
|
-6
|
Shows the IPv6 status only
|
-4
|
Shows the IPv4 status only
|
Example - fwaccel f25
This example shows details of activity for all Firewall instances.
> fwaccel f2fq stats -v
+---------------------------------------------------------------------------+
| DDOS Mitigation |
+---------------------------------------------------------------------------+
| Mode: Enforcing |
| Status Normal |
| Last 10 seconds drops 13146 |
+---------------------------------------------------------------------------+
| Instance | Reason | Drops / Hits |
+---------------------------------------------------------------------------+
| FW 0 | CONN_MISS_TCP_SYN | 103365 / 104629 |
+---------------------------------------------------------------------------+
| FW 1 | FRAG | 6232 / 13816 |
| | CONN_MISS_TCP_SYN | 101096 / 102203 |
| | CONN_MISS_TCP_OTHER | 13146 / 14359 |
+---------------------------------------------------------------------------+
| FW 2 | FRAG | 1339 / 1339 |
| | CONN_MISS_TCP_SYN | 101087 / 102143 |
+---------------------------------------------------------------------------+
| All | FRAG | 7571 / 15155 |
| | CONN_MISS_TCP_SYN | 305548 / 308975 |
| | CONN_MISS_TCP_OTHER | 13146 / 14359 |
+---------------------------------------------------------------------------+
The output shows this information:
Item
|
Description
|
Last 10 seconds drops
|
The number of dropped packets during the last 10 seconds.
|
Instance
|
The verbose output shows a historical aggregate of the results, for each Firewall instance.
|
Drops / Hits
|
The number of dropped packets out of the total number of packets, grouped by the attack type.
|
Example - asg f2fg
This output shows how the protection mitigates the DDoS attack, per SGM.
> asg f2fq
+-------------------------------------------------------------------------+
| DDOS Mitigation |
+-------------------------------------------------------------------------+
| Blade | Protocol | Config | Status | Last 10 sec drops |
+-------------------------------------------------------------------------+
| 1_01 (!) | IPv4 | Enforcing | Under Attack | 151130 |
| 1_01 | IPv6 | Enforcing | Normal | 0 |
| 1_02 | IPv4 | Enforcing | Normal | 0 |
| 1_02 | IPv6 | Enforcing | Normal | 0 |
| 1_03 | IPv4 | Enforcing | Normal | 0 |
| 1_03 | IPv6 | Enforcing | Normal | 0 |
| 1_04 | IPv4 | Enforcing | Normal | 0 |
| 1_04 | IPv6 | Enforcing | Normal | 0 |
+-------------------------------------------------------------------------+
|