Description
Controls the global configuration parameters of the Rate Limiting for DoS mitigation in SecureXL.
These global parameters apply to all configured Rate Limiting rules.
Important:
In Gaia Clish, run:
VSIDset virtual-system <
>
In Expert mode, run:
VSIDvsenv <
>
Syntax for IPv4
get set {--disable-rate-limit | --enable-rate-limit} {--disable-pbox | --enable-pbox} {--disable-blacklists | --enable-blacklists} {--disable-drop-frags | --enable-drop-frags} {--disable-drop-opts | --enable-drop-opts} {--disable-internal | --enable-internal} {--disable-monitor | --enable-monitor} {--disable-log-drops | --enable-log-drops} {--disable-log-pbox | --enable-log-pbox} {-n <NOTIF_RATE> | --notif-rate <NOTIF_RATE>} {-p <PBOX_RATE> | --pbox-rate <PBOX_RATE>} {-t <PBOX_TMO> | --pbox-tmo <PBOX_TMO>} |
Syntax for IPv6
get set {--disable-rate-limit | --enable-rate-limit} {--disable-pbox | --enable-pbox} {--disable-blacklists | --enable-blacklists} {--disable-drop-frags | --enable-drop-frags} {--disable-drop-opts | --enable-drop-opts} {--disable-internal | --enable-internal} {--disable-monitor | --enable-monitor} {--disable-log-drops | --enable-log-drops} {--disable-log-pbox | --enable-log-pbox} {-n <NOTIF_RATE> | --notif-rate <NOTIF_RATE>} {-p <PBOX_RATE> | --pbox-rate <PBOX_RATE>} {-t <PBOX_TMO> | --pbox-tmo <PBOX_TMO>} |
Parameters and Options
Parameter or Option |
Description |
---|---|
|
Specifies the SecureXL instance ID (for IPv4 only). |
No Parameters |
Shows the applicable built-in usage. |
|
Shows the configuration parameters. |
|
Configuration the parameters. |
|
Disables the IP blacklists. This is the default configuration. |
|
Disables the drops of all fragmented packets. This is the default configuration. Important - This option applies to only VSX, and only for traffic that arrives at a Virtual System through a Virtual Switch (packets received through a Warp interface). From R80.20, IP Fragment reassembly occurs in SecureXL before the Warp-jump from a Virtual Switch to a Virtual System. To block IP fragments, the Virtual Switch must be configured with this option. Otherwise, this has no effect, because the IP fragments would already be reassembled when they arrive at the Virtual System's Warp interface. |
|
Disables the drops of all packets with IP options. This is the default configuration. |
|
Disables the enforcement on internal interfaces. This is the default configuration. |
|
Disables the notifications when the DoS module drops a packet due to rate limiting policy. |
|
Disables the notifications when administrator adds an IP address to the penalty box. |
|
Disables the acceptance of all packets that otherwise would be dropped. This is the default configuration. |
|
Disables the IP penalty box. This is the default configuration. Also, see the |
|
Disables the enforcement of the rate limiting policy. This is the default configuration. |
|
Enables IP blacklists. Also, see the ' |
|
Enables the drops of all fragmented packets. |
|
Enables the drops of all packets with IP options. |
|
Enables the enforcement on internal interfaces. |
|
Enables the notifications when the DoS module drops a packet due to rate limiting policy. This is the default configuration. |
|
Enables the notifications when administrator adds an IP address to the penalty box. This is the default configuration. |
|
Enables the acceptance of all packets that otherwise would be dropped. |
|
Enables the IP penalty box. Also, see the |
|
Enables the enforcement of the rate limiting policy. Important - After you run this command, you must install the Access Control policy. |
|
Configures the maximal number of drop notifications per second for each SecureXL device. Range: 0 - (2^32-1) Default: 100 |
|
Configures the minimal number of reported dropped packets before SecureXL adds a source IPv4 address to the penalty box. Range: 0 - (2^32-1) Default: 500 |
|
Configures the number of seconds until SecureXL removes an IP is from the penalty box. Range: 0 - (2^32-1) Default: 180 |
Example 1 - Get the current DoS configuration on a non-VSX Gateway
[Expert@MyGW:0]# fwaccel dos config get rate limit: disabled (without policy) pbox: disabled blacklists: disabled log blacklist: disabled drop frags: disabled drop opts: disabled internal: disabled monitor: disabled log drops: disabled log pbox: disabled notif rate: 100 notifications/second pbox rate: 500 packets/second pbox tmo: 180 seconds [Expert@MyGW:0]# |
Example 2 - Enabling the Penalty Box on a non-VSX Gateway
[Expert@MyGW:0]# fwaccel dos config set --enable-pbox OK [Expert@MyGW:0]# [Expert@MyGW:0]# fwaccel dos config get rate limit: disabled (without policy) pbox: enabled blacklists: disabled drop frags: disabled drop opts: disabled internal: disabled monitor: disabled log drops: enabled log pbox: enabled notif rate: 100 notifications/second pbox rate: 500 packets/second pbox tmo: 180 seconds [Expert@MyGW:0]# |
Making the configuration persistent
The settings defined with the
and the fwaccel dos config set
commands return to their default values during each reboot. To make these settings persistent, add the applicable commands to these configuration files:fwaccel6 dos config set
File |
Description |
---|---|
|
This shell script for IPv4 must contain only the
|
|
This shell script for IPv6 must contain only the
|
Important - Do not include the fw sam_policy commands in these configuration files. The configured Rate Limiting policy survives reboot. If you add the
commands, the rate policy installer runs in an infinite loop.fw sam_policy
Notes:
touch $FWDIR/conf/<
Name of File>
vi $FWDIR/conf/<
Name of File>
set virtual-system <
VSID>
vsenv <
VSID>
#!/bin/bash
line.chmod +x
Name of File$FWDIR/conf/<
>
Example of a $FWDIR/conf/fwaccel_dos_rate_on_install file:
!/bin/bash fwaccel dos config set --enable-internal fwaccel dos config set --enable-pbox
|