fwaccel dos allow / whitelist

Description

The fwaccel dos whitelist / fwaccel dos allow and fwaccel6 dos whitelist / fwaccel6 dos allow commands control the IP allow-list for source IP addresses in the SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. Penalty Box.

This allow list overrides which packet the SecureXL Penalty Box drops.

Important:

Starting from R80.40 Jumbo Hotfix Accumulator Take 92, these commands were renamed:
- from "fwaccel dos whitelist" to "fwaccel dos allow"
- from "fwaccel6 dos whitelist" to "fwaccel6 dos allow"
This command supports only IPv4.
In VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode, you must go to the context of an applicable Virtual System.In Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)., run: set virtual-system <VSID>In the Expert mode, run: vsenv <VSID>
In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.
This allow list overrides entries in the blacklist.

Before you use a 3rd-party or automatic blacklists, add trusted networks and hosts to the allow list to avoid outages.
This allow list unblocks IP Options and IP fragments from trusted sources when you explicitly configure one these SecureXL features:
- --enable-drop-opts
- --enable-drop-frags
See the fwaccel dos config command.

Notes:

To allow the Rate Limiting policy, refer to the bypass action of the fw samp command.

For example, fw samp -a b ...

For more information about the fw sam_policy command, see fw sam_policy.
This command is similar to the "fwaccel dos pbox {whitelist | allow}" command (see fwaccel dos pbox).
Also, see the fwaccel synatk allow / whitelist command.

Syntax for IPv4

fwaccel dos

{whitelist | allow}

-a <IPv4 Address>[/<Subnet Prefix>]

-d <IPv4 Address>[/<Subnet Prefix>]

-F

-l /<Path>/<Name of File>

-L

-s

Parameters

Parameter

Description

whitelist

allow

Starting from R80.40 Jumbo Hotfix Accumulator Take 92, the "allow" parameter replaces the "whitelist" parameter.

Controls the IP allow list.

No Parameters

Shows the applicable built-in usage.

-a <IPv4 Address>[/<Subnet Prefix>]

Adds the specified IP address to the Penalty Box allow list.

<IPv4 Address>

Can be an IPv4 address of a network or a host.
<Subnet Prefix>

Must specify the length of the subnet mask in the format /<bits>.

Optional for a host IPv4 address.

Mandatory for a network IPv4 address.

Range - from /1 to /32.

Important - If you do not specify the subnet prefix explicitly, this command uses the subnet prefix /32.

Examples:

For a host:

192.168.20.30

192.168.20.30/32
For a network:

192.168.20.0/24

-d <IPv4 Address>[/<Subnet Prefix>]

Removes the specified IPv4 address from the Penalty Box allow list.

<IPv4 Address>

Can be an IPv4 address of a network or a host.
<Subnet Prefix>

Optional. Must specify the length of the subnet mask in the format /<bits>.

Optional for a host IPv4 address.

Mandatory for a network IPv4 address.

Range - from /1 to /32.

Important - If you do not specify the subnet prefix explicitly, this command uses the subnet prefix /32.

-F

Removes (flushes) all entries from the Penalty Box allow list.

-l /<Path>/<Name of File>

Loads the Penalty Box allow list entries from the specified plain-text file.

Note - To replace the current deny list with the contents of a new file, use both the "-F" and "-L" parameters on the same command line.

Important:

You must manually create and configure this file with the touch or vi command.
You must assign at least the read permission to this file with the chmod +x command.
Each entry in this file must be on a separate line.
Each entry in this file must be in this format:

<IPv4 Address>[/<Subnet Prefix>]
SecureXL ignores empty lines and lines that start with the # character in this file.

-L

Loads the Penalty Box allow list entries from the plain-text file with a predefined name:

R80.40 and R80.40 Jumbo Hotfix Accumulator lower than Take 92:

$FWDIR/conf/dos-whitelist-v4.conf
Starting from R80.40 Jumbo Hotfix Accumulator Take 92:

$FWDIR/conf/dos-allow-list-v4.conf

Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. automatically runs this command "fwaccel dos pbox {whitelist | allow} -L" during each boot.

Note - To replace the current allow list with the contents of a new file, use both the "-F" and "-L" parameters on the same command line.

Important:

This file does not exist by default.
You must manually create and configure this file with the touch or vi command.
You must assign at least the read permission to this file with the chmod +x command.
Each entry in this file must be on a separate line.
Each entry in this file must be in this format:

<IPv4 Address>[/<Subnet Prefix>]
SecureXL ignores empty lines and lines that start with the # character in this file.

-N "<Name of IP Blacklist>"

Configures the name for the IP deny list.

This name appears in the Security Gateway logs.

Notes:

Maximal length is 79 characters.
You must only use ASCII characters.

-n

Shows the configured name for the IP deny list.

-s

Shows the current Penalty Box allow list entries.

Example 1 - Adding a host IP address without optional subnet prefix

[Expert@MyGW:0]# fwaccel dos allow -a 192.168.20.40
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -s
192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -F
[Expert@MyGW:0]# fwaccel dos allow -s
[Expert@MyGW:0]#

Example 2 - Adding a host IP address with optional subnet prefix

[Expert@MyGW:0]# fwaccel dos allow -a 192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -s
192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -F
[Expert@MyGW:0]# fwaccel dos allow -s
[Expert@MyGW:0]#

Example 3 - Adding a network IP address with mandatory subnet prefix

[Expert@MyGW:0]# fwaccel dos allow -a 192.168.20.0/24
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -s
192.168.20.0/24
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -F
[Expert@MyGW:0]# fwaccel dos allow -s
[Expert@MyGW:0]#

Example 4 - Deleting an entry

[Expert@MyGW:0]# fwaccel dos allow -a 192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -a 192.168.20.70/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -s
192.168.20.40/32
192.168.20.70/32
[Expert@MyGW:0]# fwaccel dos allow -d 192.168.20.70/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -s
192.168.20.40/32
[Expert@MyGW:0]#