fwaccel dos config

Description

The "fwaccel dos config" and "fwaccel6 dos config" commands control the global configuration parameters of the Rate Limiting for DoS mitigation in SecureXLClosed Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway..

These global parameters apply to all configured Rate Limiting rules.

Important:

Syntax for IPv4

g_fwaccel [-i <SecureXL ID>] dos config

      get

      set

            {--disable-blacklists | --enable-blacklists}

            {--disable-drop-frags | --enable-drop-frags}

            {--disable-drop-opts | --enable-drop-opts}

            {--disable-internal | --enable-internal}

            {--disable-log-drops | --enable-log-drops}

            {--disable-log-pbox | --enable-log-pbox}

            {--disable-monitor | --enable-monitor}

            {--disable-pbox | --enable-pbox}

            {--disable-rate-limit | --enable-rate-limit}

            {-n <NOTIF_RATE> | --notif-rate <NOTIF_RATE>}

            {-p <PBOX_RATE> | --pbox-rate <PBOX_RATE>}

            {-t <PBOX_TMO> | --pbox-tmo <PBOX_TMO>}

Syntax for IPv6

g_fwaccel6 dos config

      get

      set

            {--disable-blacklists | --enable-blacklists}

            {--disable-drop-frags | --enable-drop-frags}

            {--disable-drop-opts | --enable-drop-opts}

            {--disable-internal | --enable-internal}

            {--disable-log-drops | --enable-log-drops}

            {--disable-log-pbox | --enable-log-pbox}

            {--disable-monitor | --enable-monitor}

            {--disable-pbox | --enable-pbox}

            {--disable-rate-limit | --enable-rate-limit}

            {-n <NOTIF_RATE> | --notif-rate <NOTIF_RATE>}

            {-p <PBOX_RATE> | --pbox-rate <PBOX_RATE>}

            {-t <PBOX_TMO> | --pbox-tmo <PBOX_TMO>}

Parameters and Options

Parameter or Option

Instructions

-i <SecureXL ID>

Specifies the SecureXL instance ID (for IPv4 only).

No Parameters

Shows the applicable built-in usage.

get

Shows the configuration parameters.

set <options>

Configuration the parameters.

--disable-blacklists

Disables the IP blacklists.

This is the default configuration.

--disable-drop-frags

Disables the drops of all fragmented packets. This is the default configuration.

Important - This option applies to only VSX, and only for traffic that arrives at a Virtual System through a Virtual Switch (packets received through a Warp interface). From R80.20, IP Fragment reassembly occurs in SecureXL before the Warp-jump from a Virtual Switch to a Virtual System. To block IP fragments, the Virtual Switch must be configured with this option. Otherwise, this has no effect, because the IP fragments would already be reassembled when they arrive at the Virtual System's Warp interface.

--disable-drop-opts

Disables the drops of all packets with IP options.

This is the default configuration.

--disable-internal

Disables the enforcement on internal interfaces.

This is the default configuration.

--disable-log-drops

Disables the notifications when the DoS module drops a packet due to rate limiting policy.

--disable-log-pbox

Disables the notifications when administrator adds an IP address to the penalty box.

--disable-monitor

Disables the monitor-only mode.

This is the default configuration.

This command affects all Rate Limiting features.

--disable-pbox

Disables the IP penalty box.

This is the default configuration.

Also, see the fwaccel dos pbox command.

--disable-rate-limit

Disables the enforcement of the rate limiting policy.

This is the default configuration.

--enable-blacklists

Enables IP blacklists.

Also, see the fwaccel dos blacklist command.

--enable-drop-frags

Enables the drops of all fragmented packets.

--enable-drop-opts

Enables the drops of all packets with IP options.

--enable-internal

Enables the enforcement on internal interfaces.

--enable-log-drops

Enables the notifications when the DoS module drops a packet due to rate limiting policy.

This is the default configuration.

--enable-log-pbox

Enables the notifications when administrator adds an IP address to the penalty box.

This is the default configuration.

--enable-monitor

Enables the monitor-only mode (accepts all packets that otherwise are dropped).

This command affects all Rate Limiting features.

--enable-pbox

Enables the IP penalty box.

Also, see the fwaccel dos pbox command.

--enable-rate-limit

Enables the enforcement of the rate limiting policy.

Important - After you run this command, you must install the Access Control policy.

-n <NOTIF_RATE>

--notif-rate <NOTIF_RATE>

Configures the maximal number of drop notifications per second for each SecureXL device.

Range: 0 - (232-1)

Default: 100

-p <PBOX_RATE>

--pbox-rate <PBOX_RATE>

Configures the minimal number of reported dropped packets before SecureXL adds a source IPv4 address to the penalty box.

Range: 0 - (232-1)

Default: 500

-t <PBOX_TMO>

--pbox-tmo <PBOX_TMO>

Configures the number of seconds until SecureXL removes an IP is from the penalty box.

Range: 0 - (232-1)

Default: 180

Example 1 - Get the current DoS configuration on a non-VSX Gateway

[Expert@MyChassis-ch0x-0x:0]# g_fwaccel dos config get
   rate limit: disabled (without policy)
         pbox: disabled
   blacklists: disabled
log blacklist: disabled
   drop frags: disabled
    drop opts: disabled
     internal: disabled
      monitor: disabled
    log drops: disabled
     log pbox: disabled
   notif rate: 100 notifications/second
    pbox rate: 500 packets/second
     pbox tmo: 180 seconds
[Expert@MyChassis-ch0x-0x:0]#

Example 2 - Enabling the Penalty Box on a non-VSX Gateway

[Expert@MyChassis-ch0x-0x:0]# g_fwaccel dos config set --enable-pbox
OK
[Expert@MyChassis-ch0x-0x:0]#
[Expert@MyChassis-ch0x-0x:0]# g_fwaccel dos config get
   rate limit: disabled (without policy)
         pbox: enabled
   blacklists: disabled
   drop frags: disabled
    drop opts: disabled
     internal: disabled
      monitor: disabled
    log drops: enabled
     log pbox: enabled
   notif rate: 100 notifications/second
    pbox rate: 500 packets/second
     pbox tmo: 180 seconds
[Expert@MyChassis-ch0x-0x:0]#

Making the configuration persistent

The settings defined with the "fwaccel dos config set" and the "fwaccel6 dos config set" commands return to their default values during each reboot. To make these settings persistent, add the applicable commands to these configuration files on each Security Group Member:

File

Instructions

$FWDIR/conf/fwaccel_dos_rate_on_install

This shell script for IPv4 must contain only the "g_fwaccel dos config set" commands:

#!/bin/bash
g_fwaccel dos config set <options>

$FWDIR/conf/fwaccel6_dos_rate_on_install

This shell script for IPv6 must contain only the "g_fwaccel6 dos config set" commands:

#!/bin/bash
g_fwaccel6 dos config set <options>

Important - Do not include the fw sam_policy commands in these configuration files. The configured Rate Limiting policy survives reboot. If you add the "g_fw sam_policy" commands, the rate policy installer runs in an infinite loop.

Notes:

  • To create or edit these files, log in to the Expert mode.

  • In VSX mode, you must go to the context of an applicable Virtual System.

    In the Expert mode, run: vsenv <VSID>

  • If these files do not already exist, create them on every Security Group Member with this command:

    g_all touch $FWDIR/conf/<Name of File>

  • These files must start with the "#!/bin/bash" line.

  • These files must end with a new empty line.

  • After you edit these files, you must assign the execute permission to them on every Security Group Member:

    g_all chmod +x $FWDIR/conf/<Name of File>

Example of a $FWDIR/conf/fwaccel_dos_rate_on_install file: 

!/bin/bash
fwaccel dos config set --enable-internal
fwaccel dos config set --enable-pbox