fw sam

Description

Manages the Suspicious Activity Monitoring (SAM) rules. You can use the SAM rules to block connections to and from IP addresses without the need to change or reinstall the Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection.. For more information, see sk112061.

You can create the Suspicious Activity Rules in two ways:

Notes:

Note - To configure SAM Server settings for a Security Gateway or Cluster:

  1. Connect with SmartConsole to the applicable Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Domain Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

  2. From the left navigation panel, click Gateways & Servers.

  3. Open the Security Gateway or Cluster object.

  4. From the left tree, click Other > SAM.

  5. Configure the settings.

  6. Click OK.

  7. Install the Access Control Policy on this Security Gateway or Cluster object.

Syntax

  • To add or cancel a SAM rule according to criteria:

    fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>] [-f <Security Gateway>] [-t <Timeout>] [-l <Log Type>] [-C] [-e <key=val>]+ [-r] -{n|i|I|j|J} <Criteria>

  • To delete all SAM rules:

    fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>] [-f <Security Gateway>] -D

  • To monitor all SAM rules:

    fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>] [-f <Security Gateway>] [-r] -M -{i|j|n|b|q} all

  • To monitor SAM rules according to criteria:

    fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>] [-f <Security Gateway>] [-r] -M -{i|j|n|b|q} <Criteria>

Parameters

Parameter

Description

-d

Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or use the script command to save the entire CLI session.

-v

Enables verbose mode.

In this mode, the command writes one message to stderr for each Security Gateway, on which the command is enforced. These messages show whether the command was successful or not.

-s <SAM Server>

Specifies the IP address (in the X.X.X.X format) or resolvable HostName of the Security Gateway that enforces the command.

The default is localhost.

-S <SIC Name of SAM Server>

Specifies the SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. name for the SAM server to be contacted. It is expected that the SAM server has this SIC name, otherwise the connection fails.

Notes:

-f <Security Gateway>

Specifies the Security Gateway, on which to enforce the action.

<Security Gateway> can be one of these:

Notes:

  • You can use this syntax only on Security Management Server or Domain Management Server.

  • VSX Gateways and VSX Cluster Members do not support Suspicious Activity Monitoring (SAM) Rules. See sk79700.

-D

Cancels all inhibit ("-i", "-j", "-I", "-J") and notify ("-n") parameters.

Notes:

-C

Cancels the fw sam command to inhibit connections with the specified parameters.

Notes:

  • These connections are no longer inhibited (no longer rejected or dropped).

  • The command parameters must match the parameters in the original fw sam command, except for the -t <Timeout> parameter.

-t <Timeout>

Specifies the time period (in seconds), during which the action is enforced.

The default is forever, or until you cancel the fw sam command.

-l <Log Type>

Specifies the type of the log for enforced action:

  • nolog - Does not generate Log / Alert at all

  • short_noalert - Generates a Log

  • short_alert - Generates an Alert

  • long_noalert - Generates a Log

  • long_alert - Generates an Alert (this is the default)

-e <key=val>+

Specifies ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. information based on the keys and the provided values.

Multiple keys are separated by the plus sign (+).

Available keys are (each is limited to 100 characters):

  • name - Security rule name

  • comment - Security rule comment

  • originator - Security rule originator's username

-r

Specifies not to resolve IP addresses.

-n

Specifies to generate a "Notify" long-format log entry.

Notes:

  • This parameter generates an alert when connections that match the specified services or IP addresses pass through the Security Gateway.

  • This action does not inhibit / close connections.

-i

Inhibits (drops or rejects) new connections with the specified parameters.

Notes:

  • Each inhibited connection is logged according to the log type.

  • Matching connections are rejected.

-I

Inhibits (drops or rejects) new connections with the specified parameters, and closes all existing connections with the specified parameters.

Notes:

  • Matching connections are rejected.

  • Each inhibited connection is logged according to the log type.

-j

Inhibits (drops or rejects) new connections with the specified parameters.

Notes:

  • Matching connections are dropped.

  • Each inhibited connection is logged according to the log type.

-J

Inhibits new connections with the specified parameters, and closes all existing connections with the specified parameters.

Notes:

  • Matching connections are dropped.

  • Each inhibited connection is logged according to the log type.

-b

Bypasses new connections with the specified parameters.

-q

Quarantines new connections with the specified parameters.

-M

Monitors the active SAM requests with the specified actions and criteria.

all

Gets all active SAM requests. This is used for monitoring purposes only.

<Criteria>

Criteria are used to match connections.

The criteria and are composed of various combinations of the following parameters:

 

Possible combinations are (see the explanations below this table):

  • src <IP>

  • dst <IP>

  • any <IP>

  • subsrc <IP> <Netmask>

  • subdst <IP> <Netmask>

  • subany <IP> <Netmask>

  • srv <Src IP> <Dest IP> <Port> <Protocol>

  • subsrv <Src IP> <Src Netmask> <Dest IP> <Dest Netmask> <Port> <Protocol>

  • subsrvs <Src IP> <Src Netmask> <Dest IP> <Port> <Protocol>

  • subsrvd <Src IP> <Dest IP> <Dest Netmask> <Port> <Protocol>

  • dstsrv <Dest IP> <Port> <Protocol>

  • subdstsrv <Dest IP> <Dest Netmask> <Port> <Protocol>

  • srcpr <IP> <Protocol>

  • dstpr <IP> <Protocol>

  • subsrcpr <IP> <Netmask> <Protocol>

  • subdstpr <IP> <Netmask> <Protocol>

  • generic <key=val>

Explanation for the <Criteria> syntax

Parameter

Description

src <IP>

Matches the Source IP address of the connection.

dst <IP>

Matches the Destination IP address of the connection.

any <IP>

Matches either the Source IP address or the Destination IP address of the connection.

subsrc <IP> <Netmask>

Matches the Source IP address of the connections according to the netmask.

subdst <IP> <Netmask>

Matches the Destination IP address of the connections according to the netmask.

subany <IP> <Netmask>

Matches either the Source IP address or Destination IP address of connections according to the netmask.

srv <Src IP> <Dest IP> <Port> <Protocol>

Matches the specific Source IP address, Destination IP address, Service (port number) and Protocol.

subsrv <Src IP> <Netmask> <Dest IP> <Netmask> <Port> <Protocol>

Matches the specific Source IP address, Destination IP address, Service (port number) and Protocol.

Source and Destination IP addresses are assigned according to the netmask.

subsrvs <Src IP> <Src Netmask> <Dest IP> <Port> <Protocol>

Matches the specific Source IP address, source netmask, destination netmask, Service (port number) and Protocol.

subsrvd <Src IP> <Dest IP> <Dest Netmask> <Port> <Protocol>

Matches specific Source IP address, Destination IP, destination netmask, Service (port number) and Protocol.

dstsrv <Dest IP> <Service> <Protocol>

Matches specific Destination IP address, Service (port number) and Protocol.

subdstsrv <Dest IP> <Netmask> <Port> <Protocol>

Matches specific Destination IP address, Service (port number) and Protocol.

Destination IP address is assigned according to the netmask.

srcpr <IP> <Protocol>

Matches the Source IP address and protocol.

dstpr <IP> <Protocol>

Matches the Destination IP address and protocol.

subsrcpr <IP> <Netmask> <Protocol>

Matches the Source IP address and protocol of connections.

Source IP address is assigned according to the netmask.

subdstpr <IP> <Netmask> <Protocol>

Matches the Destination IP address and protocol of connections.

Destination IP address is assigned according to the netmask.

generic <key=val>+

Matches the GTP connections based on the specified keys and provided values.

Multiple keys are separated by the plus sign (+).

Available keys are:

  • service=gtp

  • imsi

  • msisdn

  • apn

  • tunl_dst

  • tunl_dport

  • tunl_proto