fwaccel dos config

Description

The fwaccel dos config and fwaccel6 dos config commands control the global configuration parameters of the Rate Limiting for DoS mitigation in SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway.. See Rate Limiting for DoS Mitigation.

These global parameters apply to all configured Rate Limiting rules.

Important:

In VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode, you must go to the context of an applicable Virtual System.In Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)., run: set virtual-system <VSID>In the Expert mode, run: vsenv <VSID>
In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.

Syntax for IPv4

fwaccel dos config

get

set

{--disable-rate-limit | --enable-rate-limit}

{--disable-pbox | --enable-pbox}

{--disable-blacklists | --enable-blacklists}

{--disable-deny-list | --enable-deny-list}

{--disable-drop-frags | --enable-drop-frags}

{--disable-drop-opts | --enable-drop-opts}

{--disable-internal | --enable-internal}

{--disable-monitor | --enable-monitor}

{--disable-log-drops | --enable-log-drops}

{--disable-log-pbox | --enable-log-pbox}

{-n <NOTIF_RATE> | --notif-rate <NOTIF_RATE>}

{-p <PBOX_RATE> | --pbox-rate <PBOX_RATE>}

{-t <PBOX_TMO> | --pbox-tmo <PBOX_TMO>}

Syntax for IPv6

fwaccel6 dos config

get

set

{--disable-rate-limit | --enable-rate-limit}

{--disable-pbox | --enable-pbox}

{--disable-blacklists | --enable-blacklists}

{--disable-deny-list | --enable-deny-list}

{--disable-drop-frags | --enable-drop-frags}

{--disable-drop-opts | --enable-drop-opts}

{--disable-internal | --enable-internal}

{--disable-monitor | --enable-monitor}

{--disable-log-drops | --enable-log-drops}

{--disable-log-pbox | --enable-log-pbox}

{-n <NOTIF_RATE> | --notif-rate <NOTIF_RATE>}

{-p <PBOX_RATE> | --pbox-rate <PBOX_RATE>}

{-t <PBOX_TMO> | --pbox-tmo <PBOX_TMO>}

Parameters and Options

Parameter or Option

Description

No Parameters

Shows the applicable built-in usage.

get

Shows the configuration parameters.

set <options>

Configuration the parameters.

--disable-blacklists

--disable-deny-list

Starting from R80.40 Jumbo Hotfix Accumulator Take 92, the "--disable-deny-list" replaces the "--disable-blacklists" parameter.

Disables the IP deny lists.

This is the default configuration.

--disable-drop-frags

Disables the drops of all fragmented packets. This is the default configuration.

Important - This option applies to only VSX, and only for traffic that arrives at a Virtual System through a Virtual Switch (packets received through a Warp interface). From R80.20, IP Fragment reassembly occurs in SecureXL before the Warp-jump from a Virtual Switch to a Virtual System. To block IP fragments, the Virtual Switch must be configured with this option. Otherwise, this has no effect, because the IP fragments would already be reassembled when they arrive at the Virtual System's Warp interface.

--disable-drop-opts

Disables the drops of all packets with IP options.

This is the default configuration.

--disable-internal

Disables the enforcement on internal interfaces.

This is the default configuration.

--disable-log-drops

Disables the notifications when the DoS module drops a packet due to rate limiting policy.

--disable-log-pbox

Disables the notifications when administrator adds an IP address to the penalty box.

--disable-monitor

Disables the acceptance of all packets that otherwise would be dropped.

This is the default configuration.

--disable-pbox

Disables the IP penalty box.

This is the default configuration.

Also, see the fwaccel dos pbox command.

--disable-rate-limit

Disables the enforcement of the rate limiting policy.

This is the default configuration.

--enable-blacklists

--enable-deny-list

Starting from R80.40 Jumbo Hotfix Accumulator Take 92, the "--enable-deny-list" replaces the "--enable-blacklists" parameter.

Enables IP deny lists.

Also, see the fwaccel dos deny / blacklist command.

--enable-drop-frags

Enables the drops of all fragmented packets.

--enable-drop-opts

Enables the drops of all packets with IP options.

--enable-internal

Enables the enforcement on internal interfaces.

--enable-log-drops

Enables the notifications when the DoS module drops a packet due to rate limiting policy.

This is the default configuration.

--enable-log-pbox

Enables the notifications when administrator adds an IP address to the penalty box.

This is the default configuration.

--enable-monitor

Enables the acceptance of all packets that otherwise would be dropped.

--enable-pbox

Enables the IP penalty box.

Also, see the fwaccel dos pbox command.

--enable-rate-limit

Enables the enforcement of the rate limiting policy.

Important - After you run this command, you must install the Access Control policy.

-n <NOTIF_RATE>

--notif-rate <NOTIF_RATE>

Configures the maximal number of drop notifications per second for each SecureXL device.

Range: 0 - (2³²-1)

Default: 100

-p <PBOX_RATE>

--pbox-rate <PBOX_RATE>

Configures the minimal number of reported dropped packets before SecureXL adds a source IPv4 address to the penalty box.

Range: 0 - (2³²-1)

Default: 500

-t <PBOX_TMO>

--pbox-tmo <PBOX_TMO>

Configures the number of seconds until SecureXL removes an IP is from the penalty box.

Range: 0 - (2³²-1)

Default: 180

Example 1 - Get the current DoS configuration on a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos config get
    rate limit: enabled (without policy)
    rule cache: enabled
          pbox: disabled
     deny list: enabled (without policy)
    drop frags: disabled
     drop opts: disabled
      internal: disabled
       monitor: disabled
     log drops: enabled
      log pbox: enabled
    notif rate: 100 notifications/second
     pbox rate: 500 packets/second
      pbox tmo: 180 seconds
[Expert@MyGW:0]#

Example 2 - Enabling the Penalty Box on a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos config set --enable-pbox
OK
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos config get
    rate limit: enabled (without policy)
    rule cache: enabled
          pbox: enabled
     deny list: enabled (without policy)
    drop frags: disabled
     drop opts: disabled
      internal: disabled
       monitor: disabled
     log drops: enabled
      log pbox: enabled
    notif rate: 100 notifications/second
     pbox rate: 500 packets/second
      pbox tmo: 180 seconds
[Expert@MyGW:0]#

Making the configuration persistent

The settings defined with the "fwaccel dos config set" and the "fwaccel6 dos config set" commands return to their default values during each reboot. To make these settings persistent, add the applicable commands to these configuration files:

File

Description

$FWDIR/conf/fwaccel_dos_rate_on_install

This shell script for IPv4 must contain only the "fwaccel dos config set" commands:

#!/bin/bash
fwaccel dos config set <options>

$FWDIR/conf/fwaccel6_dos_rate_on_install

This shell script for IPv6 must contain only the "fwaccel6 dos config set" commands:

#!/bin/bash
fwaccel6 dos config set <options>

Important - Do not include the fw sam_policy commands in these configuration files. The configured Rate Limiting policy survives reboot. If you add the "fw sam_policy" commands, the rate policy installer runs in an infinite loop.

Notes:

To create or edit these files, log in to the Expert mode.
On VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0., before you create these files, go to the context of an applicable Virtual System:

vsenv <VSID>
If these files do not already exist, create them with one of these commands:
- touch $FWDIR/conf/<Name of File>
- vi $FWDIR/conf/<Name of File>
These files must start with the "#!/bin/bash" line.
These files must end with a new empty line.
After you edit these files, you must assign the execute permission to them:

chmod +x $FWDIR/conf/<Name of File>

Example of a $FWDIR/conf/fwaccel_dos_rate_on_install file:

!/bin/bash
fwaccel dos config set --enable-internal
fwaccel dos config set --enable-pbox