Print Download PDF Send Feedback

Previous

Next

fw sam

Description

Manages the Suspicious Activity Monitoring (SAM) rules. You can use the SAM rules to block connections to and from IP addresses without the need to change or reinstall the Security Policy. For more information, see sk112061.

You can create the Suspicious Activity Rules in two ways:

Notes:

Syntax

Parameters

Parameter

Description

-d

Runs the command in debug mode.

Use only if you troubleshoot the command itself.

-v

Enables verbose mode.

In this mode, the command writes one message to stderr for each Security Gateway, on which the command is enforced. These messages show whether the command was successful or not.

-s <SAM Server>

Specifies the IP address (in the X.X.X.X format) or resolvable HostName of the Security Gateway that enforces the command.

The default is localhost.

-S <SIC Name of SAM Server>

Specifies the SIC name for the SAM server to be contacted. It is expected that the SAM server has this SIC name, otherwise the connection fails.

Notes:

  • If you do not explicitly specify the SIC name, the connection continues without SIC names comparison.
  • For more information about enabling SIC, refer to the OPSEC API Specification.
  • On VSX Gateway, run the fw vsx showncs -vs <VSID> command to show the SIC name for the relevant Virtual System.

-f <Security Gateway>

Specifies the Security Gateway, on which to enforce the action.

<Security Gateway> can be one of these:

  • All - Default. Specifies to enforce the action on all managed Security Gateways, where SAM Server runs.

    You can use this syntax only on Security Management Server or Domain Management Server.

  • localhost - Specifies to enforce the action on this local Check Point computer (on which the fw sam command is executed).

    You can use this syntax only on Security Gateway or StandAlone.

  • Gateways - Specifies to enforce the action on all objects defined as Security Gateways, on which SAM Server runs.

    You can use this syntax only on Security Management Server or Domain Management Server.

  • Name of Security Gateway object - Specifies to enforce the action on this specific Security Gateway object.

    You can use this syntax only on Security Management Server or Domain Management Server.

  • Name of Group object - Specifies to enforce the action on all specific Security Gateways in this Group object.

Notes:

  • You can use this syntax only on Security Management Server or Domain Management Server.
  • VSX Gateway does not support Suspicious Activity Monitoring (SAM) Rules.

-D

Cancels all inhibit (-i, -j, -I, -J) and notify (-n) commands.

Notes:

  • To "uninhibit" the inhibited connections, run the fw sam command with the -C or -D parameters.
  • It is also possible to use this command for active SAM requests.

-C

Cancels the fw sam command to inhibit connections with the specified parameters.

Notes:

  • These connections are no longer inhibited (no longer rejected or dropped).
  • The command parameters must match the parameters in the original fw sam command, except for the -t <Timeout> parameter.

-t <Timeout>

Specifies the time period (in seconds), during which the action is enforced.

The default is forever, or until the fw sam command is canceled.

-l <Log Type>

Specifies the type of the log for enforced action:

  • nolog - Does not generate Log / Alert at all
  • short_noalert - Generates a Log
  • short_alert - Generates an Alert
  • long_noalert - Generates a Log
  • long_alert - Generates an Alert (this is the default)

-e <key=val>+

Specifies rule information based on the keys and the provided values.

Multiple keys are separated by the plus sign (+).

Available keys are (each is limited to 100 characters):

  • name - Security rule name
  • comment - Security rule comment
  • originator - Security rule originator's username

-r

Specifies not to resolve IP addresses.

-n

Specifies to generate a "Notify" long-format log entry.

Notes:

  • This parameter generates an alert when connections that match the specified services or IP addresses pass through the Security Gateway.
  • This action does not inhibit / close connections.

-i

Inhibits (drops or rejects) new connections with the specified parameters.

Notes:

  • Each inhibited connection is logged according to the log type.
  • Matching connections are rejected.

-I

Inhibits (drops or rejects) new connections with the specified parameters, and closes all existing connections with the specified parameters.

Notes:

  • Matching connections are rejected.
  • Each inhibited connection is logged according to the log type.

-j

Inhibits (drops or rejects) new connections with the specified parameters.

Notes:

  • Matching connections are dropped.
  • Each inhibited connection is logged according to the log type.

-J

Inhibits new connections with the specified parameters, and closes all existing connections with the specified parameters.

Notes:

  • Matching connections are dropped.
  • Each inhibited connection is logged according to the log type.

-b

Bypasses new connections with the specified parameters.

-q

Quarantines new connections with the specified parameters.

-M

Monitors the active SAM requests with the specified actions and criteria.

all

Gets all active SAM requests. This is used for monitoring purposes only.

<Criteria>

Criteria are used to match connections. The criteria and are composed of various combinations of the following parameters:

Possible combinations are:

  • src <IP>
  • dst <IP>
  • any <IP>
  • subsrc <IP> <Netmask>
  • subdst <IP> <Netmask>
  • subany <IP> <Netmask>
  • srv <Src IP> <Dest IP> <Port> <Protocol>
  • subsrv <Src ip> <Src Netmask> <Dest IP> <Dest Netmask> <Port> <Protocol>
  • subsrvs <Src IP> <Src Netmask> <Dest IP> <Port> <Protocol>
  • subsrvd <Src IP> <Dest IP> <Dest Netmask> <Port> <Protocol>
  • dstsrv <Dest IP> <Port> <Protocol>
  • subdstsrv <Dest IP> <Dest Netmask> <Port> <Protocol>
  • srcpr <IP> <Protocol>
  • dstpr <IP> <Protocol>
  • subsrcpr <IP> <Netmask> <Protocol>
  • subdstpr <IP> <Netmask> <Protocol>
  • generic <key=val>

Explanation for the <Criteria> syntax:

Parameter

Description

src <IP>

Matches the Source IP address of the connection.

dst <IP>

Matches the Destination IP address of the connection.

any <IP>

Matches either the Source IP address or the Destination IP address of the connection.

subsrc <IP> <Netmask>

Matches the Source IP address of the connections according to the netmask.

subdst <IP> <Netmask>

Matches the Destination IP address of the connections according to the netmask.

subany <IP> <Netmask>

Matches either the Source IP address or Destination IP address of connections according to the netmask.

srv <Src IP> <Dest IP> <Port> <Protocol>

Matches the specific Source IP address, Destination IP address, Service (port number) and Protocol.

subsrv <Src IP> <Netmask> <Dest IP> <Netmask> <Port> <Protocol>

Matches the specific Source IP address, Destination IP address, Service (port number) and Protocol.

Source and Destination IP addresses are assigned according to the netmask.

subsrvs <Src IP> <Src Netmask> <Dest IP> <Port> <Protocol>

Matches the specific Source IP address, source netmask, destination netmask, Service (port number) and Protocol.

subsrvd <Src IP> <Dest IP> <Dest Netmask> <Port> <Protocol>

Matches specific Source IP address, Destination IP, destination netmask, Service (port number) and Protocol.

dstsrv <Dest IP> <Service> <Protocol>

Matches specific Destination IP address, Service (port number) and Protocol.

subdstsrv <Dest IP> <Netmask> <Port> <Protocol>

Matches specific Destination IP address, Service (port number) and Protocol.

Destination IP address is assigned according to the netmask.

srcpr <IP> <Protocol>

Matches the Source IP address and protocol.

dstpr <IP> <Protocol>

Matches the Destination IP address and protocol.

subsrcpr <IP> <Netmask> <Protocol>

Matches the Source IP address and protocol of connections.

Source IP address is assigned according to the netmask.

subdstpr <IP> <Netmask> <Protocol>

Matches the Destination IP address and protocol of connections.

Destination IP address is assigned according to the netmask.

generic <key=val>+

Matches the GTP connections based on the specified keys and provided values.

Multiple keys are separated by the plus sign (+).

Available keys are:

  • service=gtp
  • imsi
  • msisdn
  • apn
  • tunl_dst
  • tunl_dport
  • tunl_proto