fwaccel dos config

Description

The fwaccel dos config and fwaccel6 dos config commands control the global configuration parameters of the Rate Limiting for DoS mitigation in SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway..

These global parameters apply to all configured Rate Limiting rules.

Important:

In VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode, you must go to the context of an applicable Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS..In Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)., run: set virtual-system <VSID>In the Expert mode, run: vsenv <VSID>
In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] dos config

get

set

{--disable-blacklists | --enable-blacklists}

{--disable-drop-frags | --enable-drop-frags}

{--disable-drop-opts | --enable-drop-opts}

{--disable-internal | --enable-internal}

{--disable-log-drops | --enable-log-drops}

{--disable-log-pbox | --enable-log-pbox}

{--disable-monitor | --enable-monitor}

{--disable-pbox | --enable-pbox}

{--disable-rate-limit | --enable-rate-limit}

{--disable-rule-cache | --enable-rule-cache}

{-n <NOTIF_RATE> | --notif-rate <NOTIF_RATE>}

{-p <PBOX_RATE> | --pbox-rate <PBOX_RATE>}

{-t <PBOX_TMO> | --pbox-tmo <PBOX_TMO>}

Syntax for IPv6

fwaccel6 dos config

get

set

{--disable-blacklists | --enable-blacklists}

{--disable-drop-frags | --enable-drop-frags}

{--disable-drop-opts | --enable-drop-opts}

{--disable-internal | --enable-internal}

{--disable-log-drops | --enable-log-drops}

{--disable-log-pbox | --enable-log-pbox}

{--disable-monitor | --enable-monitor}

{--disable-pbox | --enable-pbox}

{--disable-rate-limit | --enable-rate-limit}

{--disable-rule-cache | --enable-rule-cache}

{-n <NOTIF_RATE> | --notif-rate <NOTIF_RATE>}

{-p <PBOX_RATE> | --pbox-rate <PBOX_RATE>}

{-t <PBOX_TMO> | --pbox-tmo <PBOX_TMO>}

Parameters and Options

Parameter or Option

Description

-i <SecureXL ID>

Specifies the SecureXL instance ID (for IPv4 only).

No Parameters

Shows the applicable built-in usage.

get

Shows the configuration parameters.

set <options>

Configuration the parameters.

--disable-blacklists

Disables the IP blacklists.

This is the default configuration.

--disable-drop-frags

Disables the drops of all fragmented packets. This is the default configuration.

Important - This option applies to only VSX, and only for traffic that arrives at a Virtual System through a Virtual Switch Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a physical switch. Acronym: VSW. (packets received through a Warp interface). From R80.20, IP Fragment reassembly occurs in SecureXL before the Warp-jump from a Virtual Switch to a Virtual System. To block IP fragments, the Virtual Switch must be configured with this option. Otherwise, this has no effect, because the IP fragments would already be reassembled when they arrive at the Virtual System's Warp interface.

--disable-drop-opts

Disables the drops of all packets with IP options.

This is the default configuration.

--disable-internal

Disables the enforcement on internal interfaces.

This is the default configuration.

--disable-log-drops

Disables the notifications when the DoS module drops a packet due to rate limiting policy.

--disable-log-pbox

Disables the notifications when administrator adds an IP address to the penalty box.

--disable-monitor

Disables the monitor-only mode.

This is the default configuration.

This command affects all Rate Limiting features.

Also, see the fwaccel dos deny command.

--disable-pbox

Disables the IP penalty box.

This is the default configuration.

Also, see the fwaccel dos pbox command.

--disable-rate-limit

Disables the enforcement of the rate limiting policy.

This is the default configuration.

--disable-rule-cache

Disables the caching of Rate Limiting rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. matches.

This optimizes the performance for large numbers of connections-per-second.

--enable-blacklists

Enables IP blacklists.

Also, see the fwaccel dos deny command.

--enable-drop-frags

Enables the drops of all fragmented packets.

--enable-drop-opts

Enables the drops of all packets with IP options.

--enable-internal

Enables the enforcement on internal interfaces.

--enable-log-drops

Enables the notifications when the DoS module drops a packet due to rate limiting policy.

This is the default configuration.

--enable-log-pbox

Enables the notifications when administrator adds an IP address to the penalty box.

This is the default configuration.

--enable-monitor

Enables the monitor-only mode (accepts all packets that otherwise are dropped).

This command affects all Rate Limiting features.

Also, see the fwaccel dos deny command.

--enable-pbox

Enables the IP penalty box.

Also, see the fwaccel dos pbox command.

--enable-rate-limit

Enables the enforcement of the rate limiting policy.

Important - After you run this command, you must install the Access Control policy.

--enable-rule-cache

Enables the caching of Rate Limiting rule matches.

This optimizes the performance for large numbers of packets-per-connection.

This is the default configuration.

-n <NOTIF_RATE>

--notif-rate <NOTIF_RATE>

Configures the maximal number of drop notifications per second for each SecureXL device.

Range: 0 - (2³²-1)

Default: 100

-p <PBOX_RATE>

--pbox-rate <PBOX_RATE>

Configures the minimal number of reported dropped packets before SecureXL adds a source IPv4 address to the penalty box.

Range: 0 - (2³²-1)

Default: 500

-t <PBOX_TMO>

--pbox-tmo <PBOX_TMO>

Configures the number of seconds until SecureXL removes an IP is from the penalty box.

Range: 0 - (2³²-1)

Default: 180

Example 1 - Get the current DoS configuration on a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos config get
   rate limit: disabled (without policy)
         pbox: disabled
   blacklists: disabled
log blacklist: disabled
   drop frags: disabled
    drop opts: disabled
     internal: disabled
      monitor: disabled
    log drops: disabled
     log pbox: disabled
   notif rate: 100 notifications/second
    pbox rate: 500 packets/second
     pbox tmo: 180 seconds
[Expert@MyGW:0]#

Example 2 - Enabling the Penalty Box on a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos config set --enable-pbox
OK
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos config get
   rate limit: disabled (without policy)
         pbox: enabled
   blacklists: disabled
   drop frags: disabled
    drop opts: disabled
     internal: disabled
      monitor: disabled
    log drops: enabled
     log pbox: enabled
   notif rate: 100 notifications/second
    pbox rate: 500 packets/second
     pbox tmo: 180 seconds
[Expert@MyGW:0]#

Making the configuration persistent

The settings defined with the "fwaccel dos config set" and the "fwaccel6 dos config set" commands return to their default values during each reboot. To make these settings persistent, add the applicable commands to these configuration files:

File

Description

$FWDIR/conf/fwaccel_dos_rate_on_install

This shell script for IPv4 must contain only the "fwaccel dos config set" commands:

#!/bin/bash
fwaccel dos config set <options>

$FWDIR/conf/fwaccel6_dos_rate_on_install

This shell script for IPv6 must contain only the "fwaccel6 dos config set" commands:

#!/bin/bash
fwaccel6 dos config set <options>

Important - Do not include the fw sam_policy commands in these configuration files. The configured Rate Limiting policy survives reboot. If you add the "fw sam_policy" commands, the rate policy installer runs in an infinite loop.

Notes:

To create or edit these files, log in to the Expert mode.
On VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0., before you create these files, go to the context of an applicable Virtual System:

vsenv <VSID>
If these files do not already exist, create them with one of these commands:
- touch $FWDIR/conf/<Name of File>
- vi $FWDIR/conf/<Name of File>
These files must start with the "#!/bin/bash" line.
These files must end with a new empty line.
After you edit these files, you must assign the execute permission to them:

chmod +x $FWDIR/conf/<Name of File>

Example of a $FWDIR/conf/fwaccel_dos_rate_on_install file:

!/bin/bash
fwaccel dos config set --enable-internal
fwaccel dos config set --enable-pbox