-d
|
Runs the command in debug mode.
Use only if you troubleshoot the command itself.
|
Best Practice - If you use this parameter, then redirect the output to a file, or use the script command to save the entire CLI session.
|
|
-v
|
Enables verbose mode.
In this mode, the command writes one message to stderr for each Security Gateway, on which the command is enforced. These messages show whether the command was successful or not.
|
-s <SAM Server>
|
Specifies the IP address (in the X.X.X.X format) or resolvable HostName of the Security Gateway that enforces the command.
The default is localhost .
|
-S <SIC Name of SAM Server>
|
Specifies the name for the SAM server to be contacted. It is expected that the SAM server has this SIC name, otherwise the connection fails.
|
Notes:
-
If you do not explicitly specify the SIC name, the connection continues without SIC names comparison.
-
For more information about enabling SIC, refer to the OPSEC API Specification.
-
On , run the fw vsx showncs -vs <VSID> command to show the SIC name for the applicable .
|
|
-f <Security Gateway>
|
Specifies the Security Gateway, on which to enforce the action.
<Security Gateway> can be one of these:
-
All - Default. Specifies to enforce the action on all managed Security Gateways, where SAM Server runs.
You can use this syntax only on Security Management Server or .
-
localhost - Specifies to enforce the action on this local Check Point computer (on which the fw sam command is executed).
You can use this syntax only on Security Gateway or .
-
Gateways - Specifies to enforce the action on all objects defined as Security Gateways, on which SAM Server runs.
You can use this syntax only on Security Management Server or Domain Management Server.
-
Name of Security Gateway object - Specifies to enforce the action on this specific Security Gateway object.
You can use this syntax only on Security Management Server or Domain Management Server.
-
Name of Group object - Specifies to enforce the action on all specific Security Gateways in this Group object.
|
Notes:
|
|
-D
|
Cancels all inhibit ("-i ", "-j ", "-I ", "-J ") and notify ("-n ") parameters.
|
Notes:
-
To "uninhibit" the inhibited connections, run the fw sam command with the "-C " or "-D " parameters.
-
It is also possible to use this command for SAM requests.
|
|
-C
|
Cancels the fw sam command to inhibit connections with the specified parameters.
|
Notes:
-
These connections are no longer inhibited (no longer rejected or dropped).
-
The command parameters must match the parameters in the original fw sam command, except for the -t <Timeout> parameter.
|
|
-t <Timeout>
|
Specifies the time period (in seconds), during which the action is enforced.
The default is forever, or until you cancel the fw sam command.
|
-l <Log Type>
|
Specifies the type of the log for enforced action:
-
nolog - Does not generate Log / Alert at all
-
short_noalert - Generates a Log
-
short_alert - Generates an Alert
-
long_noalert - Generates a Log
-
long_alert - Generates an Alert (this is the default)
|
-e <key=val>+
|
Specifies information based on the keys and the provided values.
Multiple keys are separated by the plus sign (+).
Available keys are (each is limited to 100 characters):
-
name - Security rule name
-
comment - Security rule comment
-
originator - Security rule originator's username
|
-r
|
Specifies not to resolve IP addresses.
|
-n
|
Specifies to generate a "Notify" long-format log entry.
|
Notes:
|
|
-i
|
Inhibits (drops or rejects) new connections with the specified parameters.
|
Notes:
|
|
-I
|
Inhibits (drops or rejects) new connections with the specified parameters, and closes all existing connections with the specified parameters.
|
Notes:
|
|
-j
|
Inhibits (drops or rejects) new connections with the specified parameters.
|
Notes:
|
|
-J
|
Inhibits new connections with the specified parameters, and closes all existing connections with the specified parameters.
|
Notes:
|
|
-b
|
Bypasses new connections with the specified parameters.
|
-q
|
Quarantines new connections with the specified parameters.
|
-M
|
Monitors the active SAM requests with the specified actions and criteria.
|
all
|
Gets all active SAM requests. This is used for monitoring purposes only.
|
<Criteria>
|
Criteria are used to match connections.
The criteria and are composed of various combinations of the following parameters:
|
|
Possible combinations are (see the explanations below this table):
-
src <IP>
-
dst <IP>
-
any <IP>
-
subsrc <IP> <Netmask>
-
subdst <IP> <Netmask>
-
subany <IP> <Netmask>
-
srv <Src IP> <Dest IP> <Port> <Protocol>
-
subsrv <Src IP> <Src Netmask> <Dest IP> <Dest Netmask> <Port> <Protocol>
-
subsrvs <Src IP> <Src Netmask> <Dest IP> <Port> <Protocol>
-
subsrvd <Src IP> <Dest IP> <Dest Netmask> <Port> <Protocol>
-
dstsrv <Dest IP> <Port> <Protocol>
-
subdstsrv <Dest IP> <Dest Netmask> <Port> <Protocol>
-
srcpr <IP> <Protocol>
-
dstpr <IP> <Protocol>
-
subsrcpr <IP> <Netmask> <Protocol>
-
subdstpr <IP> <Netmask> <Protocol>
-
generic <key=val>
|