'fw sam_policy add' and 'fw6 sam

'fw sam_policy add' and 'fw6 sam_policy add'

Description

The 'fw sam_policy add' and 'fw6 sam_policy add' commands let you:

Add one Suspicious Activity Monitoring (SAM) rule at a time.
Add one Rate Limiting rule at a time.

Notes:

You can run these commands interchangeably: 'fw sam_policy add' and 'fw samp add'.
Security Gateway stores the SAM Policy rules in the $FWDIR/database/sam_policy.db file.
The SAM Policy management file is $FWDIR/database/sam_policy.mng.
You can run these commands in Gaia Clish, or Expert mode.

Important:

Configuration you make with these commands, survives reboot.
VSX Gateway does not support Suspicious Activity Policy configured in SmartView Monitor. See sk79700.
The SAM Policy rules consume some CPU resources on Security Gateway. We recommend to set an expiration that gives you time to investigate, but does not affect performance. The best practice is to keep only the SAM Policy rules that you need. If you confirm that an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.
On VSX Gateway, first go to the context of an applicable Virtual System.
In Gaia Clish, run: set virtual-system <VSID>

In Expert mode, run: vsenv <VSID>
In Cluster, you must configure the SecureXL in the same way on all the Cluster Members.

Syntax for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule Originator">] [-z <"Zone">]

ip <IP Filter Arguments>

quota <Quota Filter Arguments>

Syntax for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule Originator">] [-z <"Zone">]

ip <IP Filter Arguments>

quota <Quota Filter Arg

Parameters

Parameter	Description
`-d`	Optional. Runs the command in debug mode. Use only if you troubleshoot the command itself. Note - If you use this parameter, then redirect the output to a file, or use the `script` command to save the entire CLI session.
`-u`	Optional. Specifies that the rule category is `User-defined`. Default rule category is `Auto`.
`-a {d \| n \| b}`	Mandatory. Specifies the rule action if the traffic matches the rule conditions: `d` - Drop the connection. `n` - Notify (generate a log) about the connection and let it through. `b` - Bypass the connection - let it through without checking it against the policy rules. Note - Rules with action set to Bypass cannot have a log or limit specification. Bypassed packets and connections do not count towards overall number of packets and connection for limit enforcement of type ratio.
`-l {r \| a}`	Optional. Specifies which type of log to generate for this rule for all traffic that matches: `-r` - Generate a regular log `-a` - Generate an alert log
`-t <`Timeout`>`	Optional. Specifies the time period (in seconds), during which the rule will be enforced. Default timeout is indefinite.
`-f <`Target`>`	Optional. Specifies the target Security Gateways, on which to enforce the Rate Limiting rule. `<`Target`>` can be one of these: `all` - This is the default option. Specifies that the rule should be enforced on all managed Security Gateways. Name of the Security Gateway or Cluster object - Specifies that the rule should be enforced only on this Security Gateway or Cluster object (the object name must be as defined in the SmartConsole). Name of the Group object - Specifies that the rule should be enforced on all Security Gateways that are members of this Group object (the object name must be as defined in the SmartConsole).
`-n "<`Rule Name`>"`	Optional. Specifies the name (label) for this rule. You must enclose this string in double quotes. The length of this string is limited to 128 characters. Before each space or a backslash character in this string, you must write a backslash (\) character. Example: `"This\ is\ a\ rule\ name\ with\ a\ backslash\ \\"`
`-c "<`Rule Comment`>"`	Optional. Specifies the comment for this rule. You must enclose this string in double quotes. The length of this string is limited to 128 characters. Before each space or a backslash character in this string, you must write a backslash (\) character. Example: `"This\ is\ a\ comment\ with\ a\ backslash\ \\"`
`-o "<`Rule Originator`>"`	Optional. Specifies the name of the originator for this rule. You must enclose this string in double quotes. The length of this string is limited to 128 characters. Before each space or a backslash character in this string, you must write a backslash (\) character. Example: `"Created\ by\ John\ Doe"`
`-z "<`Zone`>"`	Optional. Specifies the name of the Security Zone for this rule. You must enclose this string in double quotes. The length of this string is limited to 128 characters.
`ip <`IP Filter Arguments`>`	Mandatory (use this `ip` parameter, or the `quota` parameter). Configures the Suspicious Activity Monitoring (SAM) rule. Specifies the IP Filter Arguments for the SAM rule (you must use at least one of these options): `[-C] [-s <`Source IP`>] [-m <`Source Mask`>] [-d <`Destination IP`>] [-M <`Destination Mask`>] [-p <`Port`>] [-r <`Protocol`>]`
`quota <`Quota Filter Arguments`>`	Mandatory (use this `quota` parameter, or the `ip` parameter). Configures the Rate Limiting rule. Specifies the Quota Filter Arguments for the Rate Limiting rule: `[flush true]` `[source-negated {true \| false}] source <`Source`>` `[destination-negated {true \| false}] destination <`Destination`>` `[service-negated {true \| false}] service <`Protocol and Port numbers`>` `[<`Limit1 Name`> <`Limit1 Value`>] [<`Limit2 Name`> <`Limit2 Value`>] ...[<`LimitN Name`> <`LimitN Value`>]` `[track <`Track`>]` See the explanations below. Important - The Quota rules are not applied immediately to the Security Gateway. They are only registered in the Suspicious Activity Monitoring (SAM) policy database. To apply all the rules from the SAM policy database immediately, add `flush true` in the `fw samp add` command.

Explanation for the IP Filter Arguments syntax for Suspicious Activity Monitoring (SAM) rules:

Argument	Description
`-C`	Specifies that open connections should be closed.
`-s <`Source IP`>`	Specifies the Source IP address.
`-m <`Source Mask`>`	Specifies the Source subnet mask (in dotted decimal format - x.y.z.w).
`-d <`Destination IP`>`	Specifies the Destination IP address.
`-M <`Destination Mask`>`	Specifies the Destination subnet mask (in dotted decimal format - x.y.z.w).
`-p <`Port`>`	Specifies the port number (see IANA Service Name and Port Number Registry).
`-r <`Protocol`>`	Specifies the protocol number (see IANA Protocol Numbers)

Explanation for the Quota Filter Arguments syntax for Rate Limiting rules:

Argument	Description
`flush true`	Specifies to compile and load the quota rule to the SecureXL immediately.
`[source-negated {true \| false}] source <`Source`>`	Specifies the source type and its value: `any` The rule is applied to packets sent from all sources. `range:<`IP Address`>` or `range:<`IP Address Start`>-<`IP Address End`>` The rule is applied to packets sent from: Specified IPv4 addresses (x.y.z.w) Specified IPv6 addresses (xxxx:yyyy:...:zzzz) `cidr:<`IP Address`>/<`Prefix`>` The rule is applied to packets sent from: IPv4 address with Prefix from 0 to 32 IPv6 address with Prefix from 0 to 128 `cc:<`Country Code`>` The rule matches the country code to the source IP addresses assigned to this country, based on the Geo IP database. The two-letter codes are defined in ISO 3166-1 alpha-2. `asn:<`Autonomous System Number`>` The rule matches the AS number of the organization to the source IP addresses that are assigned to this organization, based on the Geo IP database. The valid syntax is ASnnnn, where nnnn is a number unique to the specific organization. Notes: Default is: `source-negated false` The `source-negated true` processes all source types, except the specified type.
`[destination-negated {true \| false}] destination <`Destination`>`	Specifies the destination type and its value: `any` The rule is applied to packets sent to all destinations. `range:<`IP Address`>` or `range:<`IP Address Start`>-<`IP Address End`>` The rule is applied to packets sent to: Specified IPv4 addresses (x.y.z.w) Specified IPv6 addresses (xxxx:yyyy:...:zzzz) `cidr:<`IP Address`>/<`Prefix`>` The rule is applied to packets sent to: IPv4 address with Prefix from 0 to 32 IPv6 address with Prefix from 0 to 128 `cc:<`Country Code`>` The rule matches the country code to the destination IP addresses assigned to this country, based on the Geo IP database. The two-letter codes are defined in ISO 3166-1 alpha-2. `asn:<`Autonomous System Number`>` The rule matches the AS number of the organization to the destination IP addresses that are assigned to this organization, based on the Geo IP database. The valid syntax is ASnnnn, where nnnn is a number unique to the specific organization. Notes: Default is: `destination-negated false` The `destination-negated true` will process all destination types except the specified type
`[service-negated {true \| false}] service <`Protocol and Port numbers`>`	Specifies the Protocol number (see IANA Protocol Numbers) and Port number (see IANA Service Name and Port Number Registry): `<`Protocol`>` IP protocol number in the range 1-255 `<`Protocol Start`>-<`Protocol End`>` Range of IP protocol numbers `<`Protocol`>/<`Port`>` IP protocol number in the range 1-255 and TCP/UDP port number in the range 1-65535 `<`Protocol`>/<`Port Start`>-<`Port End`>` IP protocol number and range of TCP/UDP port numbers from 1 to 65535 Notes: Default is: `service-negated false` The `service-negated true` will process all traffic except the traffic with the specified protocols and ports
`[<`Limit 1 Name`> <`Limit 1 Value`>]` `[<`Limit 2 Name`> <`Limit 2 Value`>]` `...` `[<`Limit N Name`> <`Limit N Value`>]`	Specifies quota limits and their values. Note - Separate multiple quota limits with spaces. `concurrent-conns <`Value`>` Specifies the maximal number of concurrent active connections that match this rule. `concurrent-conns-ratio <`Value`>` Specifies the maximal ratio of the concurrent-conns value to the total number of active connections through the Security Gateway, expressed in parts per 65536 (formula: `N / 65536`). `pkt-rate <`Value`>` Specifies the maximum number of packets per second that match this rule. `pkt-rate-ratio <`Value`>` Specifies the maximal ratio of the pkt-rate value to the rate of all connections through the Security Gateway, expressed in parts per 65536 (formula: `N / 65536`). `byte-rate <`Value`>` Specifies the maximal total number of bytes per second in packets that match this rule. `byte-rate-ratio <`Value`>` Specifies the maximal ratio of the byte-rate value to the bytes per second rate of all connections through the Security Gateway, expressed in parts per 65536 (formula: `N / 65536`). `new-conn-rate <`Value`>` Specifies the maximal number of connections per second that match the rule. `new-conn-rate-ratio <`Value`>` Specifies the maximal ratio of the new-conn-rate value to the rate of all connections per second through the Security Gateway, expressed in parts per 65536 (formula: `N / 65536`).
`[track <`Track`>]`	Specifies the tracking option: `source` Counts connections, packets, and bytes for specific source IP address, and not cumulatively for this rule. `source-service` Counts connections, packets, and bytes for specific source IP address, and for specific IP protocol and destination port, and not cumulatively for this rule.

Example 1 - Rate Limiting rule with a range

fw sam_policy add -a d -l r -t 3600 quota service any source range:172.16.7.11-172.16.7.13 new-conn-rate 5 flush true

Explanations:

This rule drops packets for all connections (-a d) that exceed the quota set by this rule, including packets for existing connections.
This rule logs packets (-l r) that exceed the quota set by this rule.
This rule will expire in 3600 seconds (-t 3600).
This rule limits the rate of creation of new connections to 5 connections per second (new-conn-rate 5) for any traffic (service any) from the source IP addresses in the range 172.16.7.11 - 172.16.7.13 (source range:172.16.7.11-172.16.7.13).
Note: The limit of the total number of log entries per second is configured with the fwaccel dos config set -n <rate> command.
This rule will be compiled and loaded on the SecureXL, together with other rules in the Suspicious Activity Monitoring (SAM) policy database immediately, because this rule includes the flush true parameter.

Example 2 - Rate Limiting rule with a service specification

fw sam_policy add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true source cc:QQ byte-rate 0

Explanations:

This rule logs and lets through all packets (-a n) that exceed the quota set by this rule.
This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete it explicitly.
This rule applies to all packets except (service-negated true) the packets with IP protocol number 1, 50-51, 6 port 443 and 17 port 53 (service 1,50-51,6/443,17/53).
This rule applies to all packets from source IP addresses that are assigned to the country with specified country code (cc:QQ).
This rule does not let any traffic through (byte-rate 0) except the packets with IP protocol number 1, 50-51, 6 port 443 and 17 port 53.
This rule will not be compiled and installed on the SecureXL immediately, because it does not include the flush true parameter.

Example 3 - Rate Limiting rule with ASN

fw sam_policy -a d quota source asn:AS64500,cidr:[::FFFF:C0A8:1100]/120 service any pkt-rate 0

Explanations:

This rule drops (-a d) all packets that match this rule.
This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete it explicitly.
This rule applies to packets from the Autonomous System number 64500 (asn:AS64500).
This rule applies to packets from source IPv6 addresses FFFF:C0A8:1100/120 (cidr:[::FFFF:C0A8:1100]/120).
This rule applies to all traffic (service any).
This rule does not let any traffic through (pkt-rate 0).
This rule will not be compiled and installed on the SecureXL immediately, because it does not include the flush true parameter.

Example 4 - Rate Limiting rule with whitelist

fw sam_policy add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

Explanations:

This rule bypasses (-a b) all packets that match this rule.
Note: The Access Control Policy and other types of security policy rules still apply.
This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete it explicitly.
This rule applies to packets from the source IP addresses in the range 172.16.8.17 - 172.16.9.121 (range:172.16.8.17-172.16.9.121).
This rule applies to packets sent to TCP port 80 (service 6/80).
This rule will not be compiled and installed on the SecureXL immediately, because it does not include the flush true parameter.

Example 5 - Rate Limiting rule with tracking

fw sam_policy add -a d quota service any source-negated true source cc:QQ concurrent-conns-ratio 655 track source

Explanations:

This rule drops (-a d) all packets that match this rule.
This rule does not log any packets (the -l r parameter is not specified).
This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete it explicitly.
This rule applies to all traffic (service any).
This rule applies to all sources except (source-negated true) the source IP addresses that are assigned to the country with specified country code (cc:QQ).
This rule limits the maximal number of concurrent active connections to 655/65536=~1% (concurrent-conns-ratio 655) for any traffic (service any) except (service-negated true) the connections from the source IP addresses that are assigned to the country with specified country code (cc:QQ).
This rule counts connections, packets, and bytes for traffic only from sources that match this rule, and not cumulatively for this rule.
This rule will not be compiled and installed on the SecureXL immediately, because it does not include the flush true parameter.