'g_fw sam_policy' and 'g_fw6 sam_policy'
Description
Manages the Suspicious Activity Policy editor that lets you work Rate Limiting rules.
See sk112454: How to configure Rate Limiting rules for DoS Mitigation.
Notes:
- Configuration is supported only from the Command Line.
- You must run these commands on a single Security Group member in the Expert mode:
- For IPv4:
g_fw sam_policy ... - For IPv6:
g_fw6 sam_policy ...
- You can run these commands interchangeably: '
g_fw sam_policy' and 'g_fw samp'. - Security Group members store the SAM Policy rules in the
$FWDIR/database/sam_policy.db file. - Security Group members store the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.
Important:
- R80.30SP does not support the Suspicious Activity Monitoring (SAM) rules and the '
fw sam' command (see 02641733 in sk113255 and in sk148074). - The Rate Limit is applied to each Security Group member and not globally.
- Configuration you make with these commands, survives reboot.
- The SAM Policy rules consume some CPU resources on Security Group members. We recommend to set an expiration that gives you time to investigate, but does not affect performance. The best practice is to keep only the SAM Policy rules that you need. If you confirm that an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.
- Support for VSX mode is planned (see sk155832).
Syntax for IPv4
g_fw [-d] sam_policy
add <options>
batch
del <options>
get <options>
|
g_fw [-d] samp
add <options>
batch
del <options>
get <options>
|
Syntax for IPv6
g_fw6 [-d] sam_policy
add <options>
batch
del <options>
get <options>
|
g_fw6 [-d] samp
add <options>
batch
del <options>
get <options>
|
Parameters
Parameter
|
Description
|
-d
|
Runs the command in debug mode.
Use only if you troubleshoot the command itself.
|
add <options>
|
Adds one Rate Limiting rule one at a time.
|
batch
|
Adds or deletes many Rate Limiting rules at a time.
Important - This parameter is not supported in R80.30SP (Known Limitation MBS-8143).
|
del <options>
|
Deletes one configured Rate Limiting rule one at a time.
|
get <options>
|
Shows all the configured Rate Limiting rules.
|
