fw sam_policy del

Description

The "g_fw sam_policy del" and "g_fw6 sam_policy del" commands delete one configured Rate Limiting rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. at a time.

Important:

This configuration is supported only from the Command Line.

You must run these commands in the Expert mode on one of the Security Group A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. Members.
The Rate Limit configuration applies to each Security Group Member and not globally.
The Rate Limit configuration you make with these commands, survives reboot.
VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode supports the Rate Limiting rules only from R80.20SP Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. Take 266 (see MBS-4895 in sk155832).

In VSX mode, you must go to the context of an applicable Virtual System.
- In Gaia gClish The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators. Commands you run in this shell apply to all Security Appliances in the Security Group., run: set virtual-system <VSID>
- In the Expert mode, run: vsenv <VSID>
R80.20SP does not support the Suspicious Activity Monitoring (SAM) rules and the "fw sam" command (see 02641733 in sk113255 and in sk148074).

Notes:

These commands are interchangeable:
- For IPv4: "g_fw sam_policy" and "g_fw samp"
- For IPv6: "g_fw6 sam_policy" and "g_fw6 samp"
Security Group Members store the SAM Policy rules in the $FWDIR/database/sam_policy.db file.
Security Group Members store the SAM Policy management settings in the $FWDIR/database/sam_policy.mng file.

Best Practice - SAM Policy rules consume some CPU resources on Security Group Members. Set an expiration for rules that gives you time to investigate, but does not affect performance. Keep only the required SAM Policy rules. If you confirm that an activity is risky, edit the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., educate users, or otherwise handle the risk.

Syntax for IPv4

g_fw [-d] sam_policy del '<Rule UID>'

Syntax for IPv6

g_fw6 [-d] sam_policy del '<Rule UID>'

Parameters

Parameter

Description

-d

Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or use the script command to save the entire CLI session.

'<Rule UID>'

Specifies the UID of the rule you wish to delete.

Important:

The quote marks and angle brackets ('<...>') are mandatory.
To see the Rule UID, run the fw sam_policy get command.

Procedure

List all the existing rules in the Suspicious Activity Monitoring policy database

List all the existing rules in the Suspicious Activity Monitoring policy database.

For IPv4, run:

g_fw sam_policy get

For IPv6, run:

g_fw6 sam_policy get

The rules show in this format:

operation=add uid=<Value1,Value2,Value3,Value4> target=... timeout=... action=... log= ... name= ... comment=... originator= ... src_ip_addr=... req_tpe=...

Example for IPv4:

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify log=log name=Test\ Rule comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\ Doe src_ip_addr=1.1.1.1 req_tpe=ip

Delete a rule from the list by its UID

For IPv4, run:

g_fw [-d] sam_policy del '<Rule UID>'

For IPv6, run:

g_fw6 [-d] sam_policy del '<Rule UID>'

Example for IPv4:

g_fw samp del '<5ac3965f,00000000,3403a8c0,0000264a>'

Add the flush-only rule

For IPv4, run:

g_fw samp add -t 2 quota flush true

For IPv6, run:

g_fw6 samp add -t 2 quota flush true

Explanation:

The "g_fw samp del" and "g_fw6 samp del" commands only remove a rule from the persistent database. The Security Group Members continue to enforce the deleted rule until the next time you compiled and load a policy. To force the rule deletion immediately, you must enter a flush-only rule right after the "g_fw samp del" and "g_fw6 samp del" command. This flush-only rule immediately deletes the rule you specified in the previous step, and times out in 2 seconds.

Best Practice - Specify a short timeout period for the flush-only rules. This prevents accumulation of rules that are obsolete in the database.