Print Download PDF Send Feedback

Previous

Next

'fw sam_policy add' and 'fw6 sam_policy add'

Description

The 'fw sam_policy add' and 'fw6 sam_policy add' commands let you:

Notes:

Syntax for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule Originator">] [-z <"Zone">]

ip <IP Filter Arguments>

quota <Quota Filter Arguments>

Syntax for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule Originator">] [-z <"Zone">]

ip <IP Filter Arguments>

quota <Quota Filter Arg

Parameters

Parameter

Description

-d

Optional.

Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Note - If you use this parameter, then redirect the output to a file, or use the script command to save the entire CLI session.

-u

Optional.

Specifies that the rule category is User-defined.

Default rule category is Auto.

-a {d | n | b}

Mandatory.

Specifies the rule action if the traffic matches the rule conditions:

  • d - Drop the connection.
  • n - Notify (generate a log) about the connection and let it through.
  • b - Bypass the connection - let it through without checking it against the policy rules.

    Note - Rules with action set to Bypass cannot have a log or limit specification. Bypassed packets and connections do not count towards overall number of packets and connection for limit enforcement of type ratio.

-l {r | a}

Optional.

Specifies which type of log to generate for this rule for all traffic that matches:

  • -r - Generate a regular log
  • -a - Generate an alert log

-t <Timeout>

Optional.

Specifies the time period (in seconds), during which the rule will be enforced.

Default timeout is indefinite.

-f <Target>

Optional.

Specifies the target Security Gateways, on which to enforce the Rate Limiting rule.

<Target> can be one of these:

  • all - This is the default option. Specifies that the rule should be enforced on all managed Security Gateways.
  • Name of the Security Gateway or Cluster object - Specifies that the rule should be enforced only on this Security Gateway or Cluster object (the object name must be as defined in the SmartConsole).
  • Name of the Group object - Specifies that the rule should be enforced on all Security Gateways that are members of this Group object (the object name must be as defined in the SmartConsole).

-n "<Rule Name>"

Optional.

Specifies the name (label) for this rule.

You must enclose this string in double quotes.

The length of this string is limited to 128 characters.

Before each space or a backslash character in this string, you must write a backslash (\) character. Example:

"This\ is\ a\ rule\ name\ with\ a\ backslash\ \\"

-c "<Rule Comment>"

Optional.

Specifies the comment for this rule.

You must enclose this string in double quotes.

The length of this string is limited to 128 characters.

Before each space or a backslash character in this string, you must write a backslash (\) character. Example:

"This\ is\ a\ comment\ with\ a\ backslash\ \\"

-o "<Rule Originator>"

Optional.

Specifies the name of the originator for this rule.

You must enclose this string in double quotes.

The length of this string is limited to 128 characters.

Before each space or a backslash character in this string, you must write a backslash (\) character. Example:

"Created\ by\ John\ Doe"

-z "<Zone>"

Optional.

Specifies the name of the Security Zone for this rule.

You must enclose this string in double quotes.

The length of this string is limited to 128 characters.

ip <IP Filter Arguments>

Mandatory (use this ip parameter, or the quota parameter).

Configures the Suspicious Activity Monitoring (SAM) rule.

Specifies the IP Filter Arguments for the SAM rule (you must use at least one of these options):

[-C] [-s <Source IP>] [-m <Source Mask>] [-d <Destination IP>] [-M <Destination Mask>] [-p <Port>] [-r <Protocol>]

quota <Quota Filter Arguments>

Mandatory (use this quota parameter, or the ip parameter).

Configures the Rate Limiting rule.

Specifies the Quota Filter Arguments for the Rate Limiting rule:

  • [flush true]
  • [source-negated {true | false}] source <Source>
  • [destination-negated {true | false}] destination <Destination>
  • [service-negated {true | false}] service <Protocol and Port numbers>
  • [<Limit1 Name> <Limit1 Value>] [<Limit2 Name> <Limit2 Value>] ...[<LimitN Name> <LimitN Value>]
  • [track <Track>]

See the explanations below.

Important - The Quota rules are not applied immediately to the Security Gateway. They are only registered in the Suspicious Activity Monitoring (SAM) policy database. To apply all the rules from the SAM policy database immediately, add flush true in the fw samp add command.

Explanation for the IP Filter Arguments syntax for Suspicious Activity Monitoring (SAM) rules:

Argument

Description

-C

Specifies that open connections should be closed.

-s <Source IP>

Specifies the Source IP address.

-m <Source Mask>

Specifies the Source subnet mask (in dotted decimal format - x.y.z.w).

-d <Destination IP>

Specifies the Destination IP address.

-M <Destination Mask>

Specifies the Destination subnet mask (in dotted decimal format - x.y.z.w).

-p <Port>

Specifies the port number (see IANA Service Name and Port Number Registry).

-r <Protocol>

Specifies the protocol number (see IANA Protocol Numbers)

Explanation for the Quota Filter Arguments syntax for Rate Limiting rules:

Argument

Description

flush true

Specifies to compile and load the quota rule to the SecureXL immediately.

[source-negated {true | false}] source <Source>

Specifies the source type and its value:

  • any

    The rule is applied to packets sent from all sources.

  • range:<IP Address>
    or
    range:<IP Address Start>-<IP Address End>

    The rule is applied to packets sent from:

    • Specified IPv4 addresses (x.y.z.w)
    • Specified IPv6 addresses (xxxx:yyyy:...:zzzz)
  • cidr:<IP Address>/<Prefix>

    The rule is applied to packets sent from:

    • IPv4 address with Prefix from 0 to 32
    • IPv6 address with Prefix from 0 to 128
  • cc:<Country Code>

    The rule matches the country code to the source IP addresses assigned to this country, based on the Geo IP database.

    The two-letter codes are defined in ISO 3166-1 alpha-2.

  • asn:<Autonomous System Number>

    The rule matches the AS number of the organization to the source IP addresses that are assigned to this organization, based on the Geo IP database.

    The valid syntax is ASnnnn, where nnnn is a number unique to the specific organization.

Notes:

  • Default is: source-negated false
  • The source-negated true processes all source types, except the specified type.

[destination-negated {true | false}] destination <Destination>

Specifies the destination type and its value:

  • any

    The rule is applied to packets sent to all destinations.

  • range:<IP Address>
    or
    range:<IP Address Start>-<IP Address End>

    The rule is applied to packets sent to:

    • Specified IPv4 addresses (x.y.z.w)
    • Specified IPv6 addresses (xxxx:yyyy:...:zzzz)
  • cidr:<IP Address>/<Prefix>

    The rule is applied to packets sent to:

    • IPv4 address with Prefix from 0 to 32
    • IPv6 address with Prefix from 0 to 128
  • cc:<Country Code>

    The rule matches the country code to the destination IP addresses assigned to this country, based on the Geo IP database.

    The two-letter codes are defined in ISO 3166-1 alpha-2.

  • asn:<Autonomous System Number>

    The rule matches the AS number of the organization to the destination IP addresses that are assigned to this organization, based on the Geo IP database.

    The valid syntax is ASnnnn, where nnnn is a number unique to the specific organization.

Notes:

  • Default is: destination-negated false
  • The destination-negated true will process all destination types except the specified type

[service-negated {true | false}] service <Protocol and Port numbers>

Specifies the Protocol number (see IANA Protocol Numbers) and Port number (see IANA Service Name and Port Number Registry):

  • <Protocol>

    IP protocol number in the range 1-255

  • <Protocol Start>-<Protocol End>

    Range of IP protocol numbers

  • <Protocol>/<Port>

    IP protocol number in the range 1-255 and TCP/UDP port number in the range 1-65535

  • <Protocol>/<Port Start>-<Port End>

    IP protocol number and range of TCP/UDP port numbers from 1 to 65535

Notes:

  • Default is: service-negated false
  • The service-negated true will process all traffic except the traffic with the specified protocols and ports

[<Limit 1 Name> <Limit 1 Value>]
[<Limit 2 Name> <Limit 2 Value>]
...
[<Limit N Name> <Limit N Value>]

Specifies quota limits and their values.

Note - Separate multiple quota limits with spaces.

  • concurrent-conns <Value>

    Specifies the maximal number of concurrent active connections that match this rule.

  • concurrent-conns-ratio <Value>

    Specifies the maximal ratio of the concurrent-conns value to the total number of active connections through the Security Gateway, expressed in parts per 65536 (formula: N / 65536).

  • pkt-rate <Value>

    Specifies the maximum number of packets per second that match this rule.

  • pkt-rate-ratio <Value>

    Specifies the maximal ratio of the pkt-rate value to the rate of all connections through the Security Gateway, expressed in parts per 65536 (formula: N / 65536).

  • byte-rate <Value>

    Specifies the maximal total number of bytes per second in packets that match this rule.

  • byte-rate-ratio <Value>

    Specifies the maximal ratio of the byte-rate value to the bytes per second rate of all connections through the Security Gateway, expressed in parts per 65536 (formula: N / 65536).

  • new-conn-rate <Value>

    Specifies the maximal number of connections per second that match the rule.

  • new-conn-rate-ratio <Value>

    Specifies the maximal ratio of the new-conn-rate value to the rate of all connections per second through the Security Gateway, expressed in parts per 65536 (formula: N / 65536).

[track <Track>]

Specifies the tracking option:

  • source

    Counts connections, packets, and bytes for specific source IP address, and not cumulatively for this rule.

  • source-service

    Counts connections, packets, and bytes for specific source IP address, and for specific IP protocol and destination port, and not cumulatively for this rule.

Example 1 - Rate Limiting rule with a range

fw sam_policy add -a d -l r -t 3600 quota service any source range:172.16.7.11-172.16.7.13 new-conn-rate 5 flush true

Explanations:

Example 2 - Rate Limiting rule with a service specification

fw sam_policy add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true source cc:QQ byte-rate 0

Explanations:

Example 3 - Rate Limiting rule with ASN

fw sam_policy -a d quota source asn:AS64500,cidr:[::FFFF:C0A8:1100]/120 service any pkt-rate 0

Explanations:

Example 4 - Rate Limiting rule with whitelist

fw sam_policy add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

Explanations:

Example 5 - Rate Limiting rule with tracking

fw sam_policy add -a d quota service any source-negated true source cc:QQ concurrent-conns-ratio 655 track source

Explanations: