'fw sam_policy batch' and 'fw6 sam_policy batch'
Description
The 'fw sam_policy batch' and 'fw6 sam_policy batch' commands let you:
- Add and delete many Suspicious Activity Monitoring (SAM) rules at a time.
- Add and delete many Rate Limiting rules at a time.
Notes:
- You can run these commands interchangeably: '
fw sam_policy batch' and 'fw samp batch'. - Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file. - The SAM Policy management file is
$FWDIR/database/sam_policy.mng. - You can run these commands in Gaia Clish, or Expert mode.
Important:
- Configuration you make with these commands, survives reboot.
- VSX Gateway does not support Suspicious Activity Policy configured in SmartView Monitor. See sk79700.
- The SAM Policy rules consume some CPU resources on Security Gateway. We recommend to set an expiration that gives you time to investigate, but does not affect performance. The best practice is to keep only the SAM Policy rules that you need. If you confirm that an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.
- On VSX Gateway, first go to the context of an applicable Virtual System.
In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
- In Cluster, you must configure the SecureXL in the same way on all of the Cluster Members.
Procedure
Step
|
Description
|
1
|
Start the batch mode:
For IPv4: fw sam_policy batch << EOF
For IPv6: fw6 sam_policy batch << EOF
|
2
|
Enter the applicable commands as described below:
|
3
|
End the batch mode:
Write EOF and press Enter.
|
Example for IPv4 Rate Limiting rule
fw samp batch <<EOF
add -a d -l r -t 3600 -c "Limit\ conn\ rate\ to\ 5\ conn/sec from\ these\ sources" quota service any source range:172.16.7.13-172.16.7.13 new-conn-rate 5
del <501f6ef0,00000000,cb38a8c0,0a0afffe>
add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80
EOF
|
