R80.40 Performance Tuning Administration Guide

fwaccel dos deny / blacklist

Description

The fwaccel dos blacklist / fwaccel dos deny and fwaccel6 dos blacklist / fwaccel6 dos deny commands control the IP deny list in SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway..

The deny list blocks all traffic to and from the specified IP addresses.

The deny list drops occur in SecureXL, which is more efficient than an Access Control Policy to drop the packets.

Important:

Starting from R80.40 Jumbo Hotfix Accumulator Take 92, these commands were renamed:
- from "fwaccel dos blacklist" to "fwaccel dos deny"
- from "fwaccel6 dos blacklist" to "fwaccel6 dos deny"
In VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode, you must go to the context of an applicable Virtual System.In Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)., run: set virtual-system <VSID>In the Expert mode, run: vsenv <VSID>
In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.
To enforce the IP deny list in SecureXL, you must first enable the IP deny lists.

See these commands:
- fwaccel dos config
- fw sam_policy (configure more granular rules)

Syntax for IPv4

fwaccel dos

{blacklist | deny}

-a <IPv4 Address>

-d <IPv4 Address>

-F

-l /<Path>/<Name of File>

-L

-N "<Name of IP Deny List>"

-n

-s

Syntax for IPv6

fwaccel6 dos

{blacklist | deny}

-a <IPv6 Address>

-d <IPv6 Address>

-F

-l /<Path>/<Name of File>

-L

-N "<Name of IP Deny List>"

-n

-s

Parameters

Parameter	Description
`blacklist` `deny`	Starting from R80.40 Jumbo Hotfix Accumulator Take 92, the "`deny`" parameter replaces the "`blacklist`" parameter. Controls the IP deny list.
No Parameters	Shows the applicable built-in usage.
`-a <IP Address>`	Adds the specified IP address to the deny list. To add more than one IP address, run this command for each applicable IP address.
`-d <IP Address>`	Removes the specified IP addresses from the deny list. To remove more than one IP address, run this command for each applicable IP address.
`-F`	Removes (flushes) all IP addresses from the deny list.
`-l /<Path>/<Name of File>`	Loads the Penalty Box deny list entries from the specified plain-text file. Notes: To replace the current allow list with the contents of a new file, use both the "`-F`" and "`-l`" parameters on the same command line. You can use this parameter several times to load entries from different files. Important: You must manually create and configure this file with the `touch` or `vi` command. You must assign at least the read permission to this file with the `chmod +x` command. Each entry in this file must be on a separate line. Each entry in this file must be in this format: `<IPv4 Address>[/<Subnet Prefix>]` SecureXL ignores empty lines and lines that start with the # character in this file.
`-L`	Loads the Penalty Box deny list entries from all plain-text files located in the predefined directory: R80.40 and R80.40 Jumbo Hotfix Accumulator lower than Take 92: `$FWDIR/conf/blacklists/` Starting from R80.40 Jumbo Hotfix Accumulator Take 92: `$FWDIR/conf/deny_lists/` Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. automatically runs this command "`fwaccel dos pbox {whitelist \| allow} -L`" during each boot. Note - To replace the current deny list with the contents of a new file, use both the "`-F`" and "`-L`" parameters on the same command line. Important: This files in this directory do not exist by default. You must manually create and configure these files with the `touch` or `vi` command. You must assign at least the read permission to these files with the `chmod +x` command. Each entry in these files must be on a separate line. Each entry in these files must be in this format: `<IPv4 Address>[/<Subnet Prefix>]` SecureXL ignores empty lines and lines that start with the # character in these files.
`-s`	Shows the configured deny list.

Example from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos deny -s
The deny list is empty
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -a 1.1.1.1
Adding 1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
1.1.1.1
[Expert@MyGW:0]# fwaccel dos deny -a 2.2.2.2
Adding 2.2.2.2
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
2.2.2.2
1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -d 2.2.2.2
Deleting 2.2.2.2
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -F
All deny list entries deleted
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
The deny list is empty
[Expert@MyGW:0]#

04 July 2024

© 2020 - 2024 Check Point Software Technologies Ltd.