Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

F2F Quota (asg f2fq, fwaccel f2fg stats)

Use these commands to show details of an F2F (Forward to Firewall) DDoS flood attack, and how the protection works to mitigate it. F2F detects traffic floods and intelligently prevents performance degradation on the 61000/41000 Security System. It assigns a high priority to known, important packets from Performance Pack and drops those suspected of being part of a DDoS attack.

Two examples of known F2F flood attacks are UDP floods and fragmentation attacks. These attacks cause excessive resource allocation when they try to put the packet fragments together.

Syntax

fwaccel f2fq stats [–v] 
asg f2fq [-b <sgm_ids> ] [-6 | -4]

Parameter

Description

-v

Shows detailed (verbose) statistics.

-b <sgm_ids>

Works with SGMs and/or Chassis as specified by <sgm_ids>.

The <sgm_ids> can be:

  • No <sgm_ids> specified or all shows all SGMs and Chassis
  • One SGM
  • A comma-separated list of SGMs (1_1,1_4)
  • A range of SGMs (1_1-1_4)
  • One Chassis (Chassis1 or Chassis2)
  • The active Chassis (chassis_active)

 

-6

Shows the IPv6 status only

-4

Shows the IPv4 status only

Example - fwaccel f25

This example shows details of activity for all Firewall instances.

> fwaccel f2fq stats -v
+---------------------------------------------------------------------------+
| DDOS Mitigation                                                           |
+---------------------------------------------------------------------------+
| Mode:                                                           Enforcing |
| Status                                                             Normal |
| Last 10 seconds drops                                               13146 |
+---------------------------------------------------------------------------+
| Instance | Reason                     | Drops / Hits                      |
+---------------------------------------------------------------------------+
| FW  0    | CONN_MISS_TCP_SYN          |           103365 / 104629         |
+---------------------------------------------------------------------------+
| FW  1    | FRAG                       |             6232 / 13816          |
|          | CONN_MISS_TCP_SYN          |           101096 / 102203         |
|          | CONN_MISS_TCP_OTHER        |            13146 / 14359          |
+---------------------------------------------------------------------------+
| FW  2    | FRAG                       |             1339 / 1339           |
|          | CONN_MISS_TCP_SYN          |           101087 / 102143         |
+---------------------------------------------------------------------------+
| All      | FRAG                       |             7571 / 15155          |
|          | CONN_MISS_TCP_SYN          |           305548 / 308975         |
|          | CONN_MISS_TCP_OTHER        |            13146 / 14359          |
+---------------------------------------------------------------------------+

The output shows this information:

Item

Description

Last 10 seconds drops

The number of dropped packets during the last 10 seconds.

Instance

The verbose output shows a historical aggregate of the results, for each Firewall instance.

Drops / Hits

The number of dropped packets out of the total number of packets, grouped by the attack type.

Example - asg f2fg

This output shows how the protection mitigates the DDoS attack, per SGM.

> asg f2fq
+-------------------------------------------------------------------------+
| DDOS Mitigation                                                         |
+-------------------------------------------------------------------------+
| Blade    | Protocol | Config     | Status        | Last 10 sec drops    |
+-------------------------------------------------------------------------+
| 1_01 (!) | IPv4     | Enforcing  | Under Attack  | 151130               |
| 1_01     | IPv6     | Enforcing  | Normal        | 0                    |
| 1_02     | IPv4     | Enforcing  | Normal        | 0                    |
| 1_02     | IPv6     | Enforcing  | Normal        | 0                    |
| 1_03     | IPv4     | Enforcing  | Normal        | 0                    |
| 1_03     | IPv6     | Enforcing  | Normal        | 0                    |
| 1_04     | IPv4     | Enforcing  | Normal        | 0                    |
| 1_04     | IPv6     | Enforcing  | Normal        | 0                    |
+-------------------------------------------------------------------------+
 
Top of Page ©2014 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print