'fwaccel dos config' and 'fwaccel6 dos config'

Description

Controls the global configuration parameters of the Rate Limiting for DoS mitigation in SecureXL.

These global parameters apply to all configured Rate Limiting rules.

Important:

On VSX Gateway, first go to the context of an applicable Virtual System.
In Gaia Clish, run: set virtual-system <VSID>

In Expert mode, run: vsenv <VSID>
In Cluster, you must configure the SecureXL in the same way on all the Cluster Members.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] dos config

get

set

{--disable-rate-limit | --enable-rate-limit}

{--disable-pbox | --enable-pbox}

{--disable-blacklists | --enable-blacklists}

{--disable-drop-frags | --enable-drop-frags}

{--disable-drop-opts | --enable-drop-opts}

{--disable-internal | --enable-internal}

{--disable-monitor | --enable-monitor}

{--disable-log-drops | --enable-log-drops}

{--disable-log-pbox | --enable-log-pbox}

{-n <NOTIF_RATE> | --notif-rate <NOTIF_RATE>}

{-p <PBOX_RATE> | --pbox-rate <PBOX_RATE>}

{-t <PBOX_TMO> | --pbox-tmo <PBOX_TMO>}

Syntax for IPv6

fwaccel6 dos config

get

set

{--disable-rate-limit | --enable-rate-limit}

{--disable-pbox | --enable-pbox}

{--disable-blacklists | --enable-blacklists}

{--disable-drop-frags | --enable-drop-frags}

{--disable-drop-opts | --enable-drop-opts}

{--disable-internal | --enable-internal}

{--disable-monitor | --enable-monitor}

{--disable-log-drops | --enable-log-drops}

{--disable-log-pbox | --enable-log-pbox}

{-n <NOTIF_RATE> | --notif-rate <NOTIF_RATE>}

{-p <PBOX_RATE> | --pbox-rate <PBOX_RATE>}

{-t <PBOX_TMO> | --pbox-tmo <PBOX_TMO>}

Parameters and Options

Parameter or Option	Description
`-i <`SecureXL ID`>`	Specifies the SecureXL instance ID (for IPv4 only).
No Parameters	Shows the applicable built-in usage.
`get`	Shows the configuration parameters.
`set <`options`>`	Configuration the parameters.
`--disable-blacklists`	Disables the IP blacklists. This is the default configuration.
`--disable-drop-frags`	Disables the drops of all fragmented packets. This is the default configuration. Important - This option applies to only VSX, and only for traffic that arrives at a Virtual System through a Virtual Switch (packets received through a Warp interface). From R80.20, IP Fragment reassembly occurs in SecureXL before the Warp-jump from a Virtual Switch to a Virtual System. To block IP fragments, the Virtual Switch must be configured with this option. Otherwise, this has no effect, because the IP fragments would already be reassembled when they arrive at the Virtual System's Warp interface.
`--disable-drop-opts`	Disables the drops of all packets with IP options. This is the default configuration.
`--disable-internal`	Disables the enforcement on internal interfaces. This is the default configuration.
`--disable-log-drops`	Disables the notifications when the DoS module drops a packet due to rate limiting policy.
`--disable-log-pbox`	Disables the notifications when administrator adds an IP address to the penalty box.
`--disable-monitor`	Disables the acceptance of all packets that otherwise would be dropped. This is the default configuration.
`--disable-pbox`	Disables the IP penalty box. This is the default configuration. Also, see the `fwaccel dos pbox` command.
`--disable-rate-limit`	Disables the enforcement of the rate limiting policy. This is the default configuration.
`--enable-blacklists`	Enables IP blacklists. Also, see the '`fwaccel dos blacklist`' and '`fwaccel6 dos blacklist`' commands.
`--enable-drop-frags`	Enables the drops of all fragmented packets.
`--enable-drop-opts`	Enables the drops of all packets with IP options.
`--enable-internal`	Enables the enforcement on internal interfaces.
`--enable-log-drops`	Enables the notifications when the DoS module drops a packet due to rate limiting policy. This is the default configuration.
`--enable-log-pbox`	Enables the notifications when administrator adds an IP address to the penalty box. This is the default configuration.
`--enable-monitor`	Enables the acceptance of all packets that otherwise would be dropped.
`--enable-pbox`	Enables the IP penalty box. Also, see the `fwaccel dos pbox` command.
`--enable-rate-limit`	Enables the enforcement of the rate limiting policy. Important - After you run this command, you must install the Access Control policy.
`-n <`NOTIF_RATE`>` `--notif-rate <`NOTIF_RATE`>`	Configures the maximal number of drop notifications per second for each SecureXL device. Range: 0 - (2^32-1) Default: 100
`-p <`PBOX_RATE`>` `--pbox-rate <`PBOX_RATE`>`	Configures the minimal number of reported dropped packets before SecureXL adds a source IPv4 address to the penalty box. Range: 0 - (2^32-1) Default: 500
`-t <`PBOX_TMO`>` `--pbox-tmo <`PBOX_TMO`>`	Configures the number of seconds until SecureXL removes an IP is from the penalty box. Range: 0 - (2^32-1) Default: 180

Example 1 - Get the current DoS configuration on a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos config get

rate limit: disabled (without policy)

pbox: disabled

blacklists: disabled

log blacklist: disabled

drop frags: disabled

drop opts: disabled

internal: disabled

monitor: disabled

log drops: disabled

log pbox: disabled

notif rate: 100 notifications/second

pbox rate: 500 packets/second

pbox tmo: 180 seconds

[Expert@MyGW:0]#

Example 2 - Enabling the Penalty Box on a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos config set --enable-pbox

[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel dos config get

rate limit: disabled (without policy)

pbox: enabled

blacklists: disabled

drop frags: disabled

drop opts: disabled

internal: disabled

monitor: disabled

log drops: enabled

log pbox: enabled

notif rate: 100 notifications/second

pbox rate: 500 packets/second

pbox tmo: 180 seconds

[Expert@MyGW:0]#

Making the configuration persistent

The settings defined with the fwaccel dos config set and the fwaccel6 dos config set commands return to their default values during each reboot. To make these settings persistent, add the applicable commands to these configuration files:

File	Description
`$FWDIR/conf/fwaccel_dos_rate_on_install`	This shell script for IPv4 must contain only the `fwaccel dos config set` commands: `#!/bin/bash` `fwaccel dos config set <`options`>`
`$FWDIR/conf/fwaccel6_dos_rate_on_install`	This shell script for IPv6 must contain only the `fwaccel6 dos config set` commands: `#!/bin/bash` `fwaccel6 dos config set <`options`>`

File

Description

$FWDIR/conf/fwaccel_dos_rate_on_install

This shell script for IPv4 must contain only the fwaccel dos config set commands:

#!/bin/bash
fwaccel dos config set <options>

$FWDIR/conf/fwaccel6_dos_rate_on_install

This shell script for IPv6 must contain only the fwaccel6 dos config set commands:

#!/bin/bash
fwaccel6 dos config set <options>

Important - Do not include the fw sam_policy commands in these configuration files. The configured Rate Limiting policy survives reboot. If you add the fw sam_policy commands, the rate policy installer runs in an infinite loop.

Notes:

To create or edit these files, log in to Expert mode.
If these files do not already exist, create them in one of these ways:
- touch $FWDIR/conf/<Name of File>
- vi $FWDIR/conf/<Name of File>
On VSX Gateway, before you create these files, go to the context of an applicable Virtual System.
- In Gaia gClish, run: set virtual-system <VSID>
- In Expert mode, run: vsenv <VSID>
These files must start with the #!/bin/bash line.
These files must end with a new empty line.
After you create these files, you must assign the execute permission to them:
chmod +x $FWDIR/conf/<Name of File>

Example of a $FWDIR/conf/fwaccel_dos_rate_on_install file:

!/bin/bash

fwaccel dos config set --enable-internal

fwaccel dos config set --enable-pbox