fwaccel dos pbox

Description

The "fwaccel dos pbox" command controls the Penalty Box whitelist in SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway..

The SecureXL Penalty Box is a mechanism that performs an early drop of packets that arrive from suspected sources. The purpose of this feature is to allow the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. to cope better under high traffic load, possibly caused by a DoS/DDoS attack.

The SecureXL Penalty Box detects clients that send packets, which the Access Control Policy drops, and clients that violate the IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). protections. If the SecureXL Penalty Box detects a specific client frequently, it puts that client in a penalty box. From that point, SecureXL drops all packets that arrive from the blocked source IP address.

The Penalty Box whitelist in SecureXL lets you configure the source IP addresses, which the SecureXL Penalty Box never blocks.

Important:

This command supports only IPv4.
You must run the applicable commands in the Expert mode on the applicable Security Group A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected..
In VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode, you must go to the context of an applicable Virtual System.

In the Expert mode, run: vsenv <VSID>
To enforce the Penalty Box in SecureXL, you must first enable the Penalty Box.

See these commands:
When you add a new Security Group Member to a Security Group, the new Security Group Member pulls the "$FWDIR/conf/pbox-whitelist-v4.conf" configuration file.

Syntax for IPv4

g_fwaccel [-i <SecureXL ID>] dos pbox

flush

whitelist

-a <IPv4 Address>[/<Subnet Prefix>]

-d <IPv4 Address>[/<Subnet Prefix>]

-F

-l /<Path>/<Name of File>

-L

-s

Parameters

Parameter

Description

-i <SecureXL ID>

Specifies the SecureXL instance ID (for IPv4 only).

No Parameters

Shows the applicable built-in usage.

flush

Removes (flushes) all source IP addresses from the Penalty Box.

whitelist <options>

Configures the whitelist for source IP addresses in the SecureXL Penalty Box.

Important - This whitelist overrides which packet the SecureXL Penalty Box drops. Before you use a 3rd-party or automatic blacklists, add trusted networks and hosts to the whitelist to avoid outages.

Note - This command is similar to the fwaccel dos whitelist command.

-a <IPv4 Address>[/<Subnet Prefix>]

Adds the specified IP address to the Penalty Box whitelist.

<IPv4 Address>

Can be an IP address of a network or a host.

<Subnet Prefix>

Must specify the length of the subnet mask in the format /<bits>.

Optional for a host IP address.

Mandatory for a network IP address.

Range - from /1 to /32.

Important - If you do not specify the subnet prefix explicitly, this command uses the subnet prefix /32.

Examples:

For a host:

192.168.20.30

192.168.20.30/32
For a network:

192.168.20.0/24

-d <IPv4 Address>[/<Subnet Prefix>]

Removes the specified IP address from the Penalty Box whitelist.

<IPv4 Address>

Can be an IP address of a network or a host.

<Subnet Prefix>

Optional. Must specify the length of the subnet mask in the format /<bits>.

Optional for a host IP address.

Mandatory for a network IP address.

Range - from /1 to /32.

Important - If you do not specify the subnet prefix explicitly, this command uses the subnet prefix /32.

-F

Removes (flushes) all entries from the Penalty Box whitelist.

-l /<Path>/<Name of File>

Loads the Penalty Box whitelist entries from the specified plain-text file.

Important:

You must manually create and configure this file with the "g_all touch" command.
You must assign at least the read permission to this file with the "g_all chmod +x" command.
Each entry in this file must be on a separate line.
Each entry in this file must be in this format:

<IPv4 Address>[/<Subnet Prefix>]
SecureXL ignores empty lines and lines that start with the # character in this file.

-L

Loads the Penalty Box whitelist entries from the plain-text file with a predefined name:

$FWDIR/conf/pbox-whitelist-v4.conf

Security Group automatically runs this command "g_fwaccel dos pbox whitelist -L" during each boot.

Important:

This file does not exist by default.
You must manually create and configure this file with the "g_all touch " command.
You must assign at least the read permission to this file with the "g_all chmod +x" command.
Each entry in this file must be on a separate line.
Each entry in this file must be in this format:

<IPv4 Address>[/<Subnet Prefix>]
SecureXL ignores empty lines and lines that start with the # character in this file.

-s

Shows the current Penalty Box whitelist entries.

Example 1 - Adding a host IP address without optional subnet prefix

[Expert@MyChassis-ch0x-0x:0]# g_fwaccel dos pbox whitelist -a 192.168.20.40
[Expert@MyChassis-ch0x-0x:0]#
[Expert@MyChassis-ch0x-0x:0]# g_fwaccel dos pbox whitelist -s
192.168.20.40/32
[Expert@MyChassis-ch0x-0x:0]#
[Expert@MyChassis-ch0x-0x:0]# g_fwaccel dos pbox whitelist -F
[Expert@MyChassis-ch0x-0x:0]# g_fwaccel dos pbox whitelist -s
[Expert@MyChassis-ch0x-0x:0]#

Example 2 - Adding a host IP address with optional subnet prefix

[Expert@MyChassis-ch0x-0x:0]# g_fwaccel dos pbox whitelist -a 192.168.20.40/32
[Expert@MyChassis-ch0x-0x:0]#
[Expert@MyChassis-ch0x-0x:0]# g_fwaccel dos pbox whitelist -s
192.168.20.40/32
[Expert@MyChassis-ch0x-0x:0]#
[Expert@MyChassis-ch0x-0x:0]# g_fwaccel dos pbox whitelist -F
[Expert@MyChassis-ch0x-0x:0]# g_fwaccel dos pbox whitelist -s
[Expert@MyChassis-ch0x-0x:0]#

Example 3 - Adding a network IP address with mandatory subnet prefix

[Expert@MyChassis-ch0x-0x:0]# g_fwaccel dos pbox whitelist -a 192.168.20.0/24
[Expert@MyChassis-ch0x-0x:0]#
[Expert@MyChassis-ch0x-0x:0]# g_fwaccel dos pbox whitelist -s
192.168.20.0/24
[Expert@MyChassis-ch0x-0x:0]#
[Expert@MyChassis-ch0x-0x:0]# g_fwaccel dos pbox whitelist -F
[Expert@MyChassis-ch0x-0x:0]# g_fwaccel dos pbox whitelist -s
[Expert@MyChassis-ch0x-0x:0]#

Example 4 - Deleting an entry

[Expert@MyChassis-ch0x-0x:0]# g_fwaccel dos pbox whitelist -a 192.168.20.40/32
[Expert@MyChassis-ch0x-0x:0]#
[Expert@MyChassis-ch0x-0x:0]# g_fwaccel dos pbox whitelist -a 192.168.20.70/32
[Expert@MyChassis-ch0x-0x:0]#
[Expert@MyChassis-ch0x-0x:0]# g_fwaccel dos pbox whitelist -s
192.168.20.40/32
192.168.20.70/32
[Expert@MyChassis-ch0x-0x:0]# g_fwaccel dos pbox whitelist -d 192.168.20.70/32
[Expert@MyChassis-ch0x-0x:0]#
[Expert@MyChassis-ch0x-0x:0]# g_fwaccel dos pbox whitelist -s
192.168.20.40/32
[Expert@MyChassis-ch0x-0x:0]#