'fw sam_policy del' and 'fw6 sam

'fw sam_policy del' and 'fw6 sam_policy del'

Description

The 'fw sam_policy del' and 'fw6 sam_policy del' commands let you:

Delete one configured Suspicious Activity Monitoring (SAM) rule at a time.
Delete one configured Rate Limiting rule at a time.

Notes:

You can run these commands interchangeably: 'fw sam_policy del add' and 'fw samp del'.
Security Gateway stores the SAM Policy rules in the $FWDIR/database/sam_policy.db file.
The SAM Policy management file is $FWDIR/database/sam_policy.mng.
You can run these commands in Gaia Clish, or Expert mode.

Important:

Configuration you make with these commands, survives reboot.
VSX Gateway does not support Suspicious Activity Policy configured in SmartView Monitor. See sk79700.
The SAM Policy rules consume some CPU resources on Security Gateway. We recommend to set an expiration that gives you time to investigate, but does not affect performance. The best practice is to keep only the SAM Policy rules that you need. If you confirm that an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.
On VSX Gateway, first go to the context of an applicable Virtual System.
In Gaia Clish, run: set virtual-system <VSID>

In Expert mode, run: vsenv <VSID>
In Cluster, you must configure the SecureXL in the same way on all of the Cluster Members.

Syntax for IPv4

fw [-d] sam_policy del '<Rule UID>'

Syntax for IPv6

fw6 [-d] sam_policy del '<Rule UID>'

Parameters

Parameter	Description
`-d`	Enables the debug mode for the `fw` command. By default, writes to the screen. Note - If you use this parameter, then redirect the output to a file, or use the `script` command to save the entire CLI session.
`'<`Rule UID`>'`	Specifies the UID of the rule you wish to delete. Important: The quote marks and angle brackets (`'<...>'`) are mandatory. To see the Rule UID, run the '`fw sam_policy get`' and '`fw6 sam_policy get`' commands.

Parameter

Description

-d

Enables the debug mode for the fw command. By default, writes to the screen.

Note - If you use this parameter, then redirect the output to a file, or use the script command to save the entire CLI session.

'<Rule UID>'

Specifies the UID of the rule you wish to delete.

Important:

The quote marks and angle brackets ('<...>') are mandatory.
To see the Rule UID, run the 'fw sam_policy get' and 'fw6 sam_policy get' commands.

Procedure

Step	Description
1	List all the existing rules in the Suspicious Activity Monitoring policy database: For IPv4: `fw sam_policy get` For IPv6: `fw6 sam_policy get` The rules show in this format: `operation=add uid=<`Value1`,`Value2`,`Value3`,`Value4`> target=... timeout=... action=... log= ... name= ... comment=... originator= ... src_ip_addr=... req_tpe=...` Example for IPv4: `operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify log=log name=Test\ Rule comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\ Doe src_ip_addr=1.1.1.1 req_tpe=ip`
2	Delete a rule from the list by its UID. For IPv4: `fw [-d] sam_policy del '<`Rule UID`>'` For IPv6: `fw6 [-d] sam_policy del '<`Rule UID`>'` Example for IPv4: `fw samp del '<5ac3965f,00000000,3403a8c0,0000264a>'`
3	Enter this flush-only add rule: For IPv4: `fw samp add -t 2 quota flush true` For IPv6: `fw6 samp add -t 2 quota flush true` Explanation: The `fw samp del` and `fw6 samp del` commands only remove a rule from the persistent database. The Security Gateway continues to enforce the deleted rule until the next time you compiled and load a policy. To force the rule deletion immediately, you must enter a flush-only add rule right after the `fw samp del` and `fw6 samp del` command. This flush-only add rule immediately deletes the rule you specified in the previous step, and times out in 2 seconds. It is a good practice to specify a short timeout period for the flush-only rules. This prevents accumulation of rules that are obsolete in the database.

Step

Description

List all the existing rules in the Suspicious Activity Monitoring policy database:

For IPv4: fw sam_policy get

For IPv6: fw6 sam_policy get

The rules show in this format:

operation=add uid=<Value1,Value2,Value3,Value4> target=... timeout=... action=... log= ... name= ... comment=... originator= ... src_ip_addr=... req_tpe=...

Example for IPv4:

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify log=log name=Test\ Rule comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\ Doe src_ip_addr=1.1.1.1 req_tpe=ip

Delete a rule from the list by its UID.

For IPv4: fw [-d] sam_policy del '<Rule UID>'

For IPv6: fw6 [-d] sam_policy del '<Rule UID>'

Example for IPv4:

fw samp del '<5ac3965f,00000000,3403a8c0,0000264a>'

Enter this flush-only add rule:

For IPv4: fw samp add -t 2 quota flush true

For IPv6: fw6 samp add -t 2 quota flush true

Explanation:

The fw samp del and fw6 samp del commands only remove a rule from the persistent database. The Security Gateway continues to enforce the deleted rule until the next time you compiled and load a policy. To force the rule deletion immediately, you must enter a flush-only add rule right after the fw samp del and fw6 samp del command. This flush-only add rule immediately deletes the rule you specified in the previous step, and times out in 2 seconds. It is a good practice to specify a short timeout period for the flush-only rules. This prevents accumulation of rules that are obsolete in the database.