fw sam_policy

Description

Manages the Suspicious Activity Policy editor that works with these types of rules:

Suspicious Activity Monitoring (SAM) rules.

See sk112061: How to create and view Suspicious Activity Monitoring (SAM) Rules.
Rate Limiting rules.

See sk112454: How to configure Rate Limiting rules for DoS Mitigation.

Also, see these commands:

Notes:

These commands are interchangeable:
- For IPv4: "fw sam_policy" and "fw samp".
- For IPv6: "fw6 sam_policy" and "fw6 samp".
You can run these commands in Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)., or Expert mode.
Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. stores the SAM Policy rules in the $FWDIR/database/sam_policy.db file.
Security Gateway stores the SAM Policy management settings in the $FWDIR/database/sam_policy.mng file.

Important:

Configuration you make with these commands, survives reboot.
VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode does not support Suspicious Activity Policy configured in SmartView Monitor. See sk79700.
In VSX mode, you must go to the context of an applicable Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS..
- In Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Clish, run: set virtual-system <VSID>
- In the Expert mode, run: vsenv <VSID>
In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.

Best Practice - The SAM Policy rules consume some CPU resources on Security Gateway. Set an expiration for rules that gives you time to investigate, but does not affect performance. Keep only the required SAM Policy rules. If you confirm that an activity is risky, edit the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., educate users, or otherwise handle the risk.

Syntax for IPv4

fw [-d] sam_policy

add <options>

batch

del <options>

get <options>

fw [-d] samp

add <options>

batch

del <options>

get <options>

Syntax for IPv6

fw6 [-d] sam_policy

add <options>

batch

del <options>

get <options>

fw6 [-d] samp

add <options>

batch

del <options>

get <options>

Parameters

Parameter

Description

-d

Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or use the script command to save the entire CLI session.

add <options>

Adds one Rate Limiting rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. one at a time.

See fw sam_policy add.

batch

Adds or deletes many Rate Limiting rules at a time.

See fw sam_policy batch.

del <options>

Deletes one configured Rate Limiting rule one at a time.

See fw sam_policy del.

get <options>

Shows all the configured Rate Limiting rules.

See fw sam_policy get.