fw sam

Description Manage the Suspicious Activity Monitoring (SAM) server. Use the SAM server to block connections to and from IP addresses without the need to change the Security Policy. For more information, see sk112061.

SAM commands are logged. Use this command to (also) monitor active SAM requests (see -M option).

To configure the SAM server on the Security Management server or Security Gateway, use SmartDashboard to edit the Advanced > SAM page of the Check Point Security Gateway object.

Syntax

Add/Cancel SAM rule according to criteria:

> fw sam [-v][-s <sam server>][-S <server sic name>][-f <fw host>][-t <timeout>][-l <log>][-C] -{n|i|I|j|J} <Criteria>

Delete all SAM rules:

> fw sam [-v][-s <sam server>][-S <server sic name>][-f <fw host>] -D

Monitor all SAM rules:

> fw sam [-v][-s <sam server>][-S <server sic name>][-f <fw host>] -M -{i|j|n} all

Monitor SAM rules according to criteria:

> fw sam [-v][-s <sam server>][-S <server sic name>][-f <fw host>] -M -{i|j|n} <Criteria>

Syntax

Parameter	Description
`-v`	Verbose mode. Writes one message (describing whether the command was successful or not) to `stderr` for each Security Gateway machine on which the command is enforced.
`-s <sam_server>`	The IP address (in dot format) or the resolvable name of the FireWalled host that will enforce the command. The default is `localhost`.
`-S <server_sic_name>`	The SIC name for the SAM server to be contacted. It is expected that the SAM server will have this SIC name, otherwise the connection will fail. If no server SIC name is supplied the connection will proceed without SIC names comparison. For more information about enabling SIC refer to the OPSEC API Specification.
`-f <fw host>`	Specify the `host`, the Security Gateway machine on which to enforce the action. `host` can be one of the following (default is `All`): `localhost`—Specify the computer running the SAM server to enforce the action on it. The name of the object or group—the action is enforced on this object; if this object is a group, on every object in the group. `Gateways`—Action enforced on FireWalls defined as gateways and managed by Security Management server where the SAM server runs. `All`—Enforced on FireWalls managed by Smart- Center server where SAM server runs.
`-D`	Cancel all inhibit (`-i`, -j,`-I,-J`) and notify (`-n`) commands. To "uninhibit" inhibited connections, execute `fw sam` with the `-C` or `-D` parameters. It is also possible to use this command for active SAM requests.
`-C`	Cancel the command to inhibit connections with the specified parameters. These connections will no longer be inhibited (rejected or dropped). The command parameters must match the ones in the original command, except for the `-t` (timeout) parameter.
`-t <timeout>`	The time period (in seconds) for which the action will be enforced. The default is forever or until cancelled.
`-l <log>`	The type of the log for enforced actions can be one of the following: `nolog`, `long_noalert`, `long_alert`. The default is `long_alert`.
`-n`	Notify, or generate, a long‑format log entry. Generates an alert when connections that match the specified services or IP addresses pass through the FireWall. This action does not inhibit or close connections.
`-i`	Inhibit (do not allow) new connections with the specified parameters. Each inhibited connection is logged according to log type. Matching connections will be rejected.
`-I`	Inhibit new connections with the specified parameters, and close all existing connections with the specified parameters. Each inhibited connection is logged according to the log type. Matching connections will be rejected.
`-j`	Inhibit new connections with the specified parameters. Each inhibited connection is logged according to the log type. Connections will be dropped.
`-J`	Inhibit new connections with the specified parameters, and close all existing connections with the specified parameters. Each inhibited connection is logged according to the log type. Connections will be dropped.
`-M`	Monitor the active SAM requests with the specified actions and criteria.
`all`	Get all active requests. For monitoring purposes only.

Usage Criteria are used to match connections, and are composed of various combinations of the following parameters:

<source ip><source netmask><destination ip><destination netmask> <service><protocol>

Possible combinations are:

src <ip>

dst <ip>

any <<ip>

subsrc <ip><netmask>

subdst <ip><netmask>

subany <ip><netmask>

srv <src ip><dest ip><service><protocol>

subsrv <src ip><src netmask><dest ip><dest netmask><service> <protocol>

subsrvs <src ip><src netmask><dest ip><service><protocol>

subsrvd <src ip><dest ip><dest netmask><service><protocol>

dstsrv <dest ip><service><protocol>

subdstsrv <dest ip><dest netmask><service><protocol>

srcpr <ip><protocol>

dstpr <ip><protocol>

subsrcpr <ip><netmask><protocol>

subdstpr <ip><netmask><protocol>

Syntax

Criteria Parameters	Description
`src <ip>`	Match the source IP address of the connection.
`dst <ip>`	Match the destination IP address of the connection.
`any <ip>`	Match either the source IP address or the destination IP address of the connection.
`subsrc <ip> <netmask>`	Match the source IP address of the connections according to the netmask.
`subdst <ip> <netmask>`	Match the destination IP address of the connections according to the netmask.
`subany <ip> <netmask>`	Match either the source IP address or destination IP address of connections according to the netmask.
`srv <src ip> <dst ip> <service> <protocol>`	Match the specific source IP address, destination IP address, service and protocol.
`subsrv <src ip> <netmask>` `<dst ip> <netmask> <service> <protocol>`	Match the specific source IP address, destination IP address, service and protocol. Source and destination IP addresses are assigned according to the netmask.
`subsrvs <src ip> <src netmask> <dest ip> <service> <protocol>`	Match the specific source IP address, source netmask, destination netmask, service and protocol.
`subsrvd <src ip> <dest ip>` `<dest netmask> <service> <protocol>`	Match specific source IP address, destination IP, destination netmask, service and protocol.
`dstsrv <dst ip> <service> <protocol>`	Match specific destination IP address, service and protocol.
`subdstsrv <dst ip> <netmask> <service> <protocol>`	Match specific destination IP address, service and protocol. Destination IP address is assigned according to the netmask.
`srcpr <ip> <protocol>`	Match the source IP address and protocol.
`dstpr <ip> <protocol>`	Match the destination IP address and protocol.
`subsrcpr <ip> <netmask> <protocol>`	Match the source IP address and protocol of connections. Source IP address is assigned according to the netmask.
`subdstpr <ip> <netmask> <protocol>`	Match the destination IP address and protocol of connections. Destination IP address is assigned according to the netmask.

Example This command inhibits all connections originating on louvre for 10 minutes. Connections made during this time will be rejected:

> fw sam -t 600 -i src louvre

This command inhibits all FTP connections from the louvre subnet to the eifel subnet. All existing open connections will be closed. New connection will be dropped, a log is kept and an alert is sent:

> fw sam -l long_alert -J subsrvs louvre 255.255.255.0 eifel 21 6

The previous command will be enforced forever - or until canceled by the following command:

> fw sam -C -l long_alert -J subsrvs louvre 255.255.255.0 eifel 21 6

This command monitors all active "inhibit" or "notify SAM" requests for which lourve is the source or destination address:

> fw sam -M -nij any lourve

This command cancels the command in the first example:

> fw sam -C -i src louvre