fwaccel dos deny

Description

The fwaccel dos deny and fwaccel6 dos deny commands control the IP deny-list in SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway..

The deny-list blocks all traffic to and from the specified IP addresses.

The deny-list drops occur in SecureXL, which is more efficient than an Access Control Policy to drop the packets.

Important:

In VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode, you must go to the context of an applicable Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS..In Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)., run: set virtual-system <VSID>In the Expert mode, run: vsenv <VSID>
In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.
To enforce the IP deny-list in SecureXL, you must first enable the IP deny-lists.

See these commands:
- fwaccel dos config
- fw sam_policy (configures more granular rules)

Syntax for IPv4

fwaccel dos deny

-a <IPv4 Address>

-d <IPv4 Address>

-F

-M {on | off}

-m

-N "<Name of IP Deny-list>"

-n

-s

Syntax for IPv6

fwaccel6 dos deny

-a <IPv6 Address>

-d <IPv6 Address>

-F

-M {on | off}

-m

-N "<Name of IP Deny-list>"

-n

-s

Parameters

Parameter

Description

No Parameters

Shows the applicable built-in usage.

-a <IP Address>

Adds the specified IP address to the deny-list.

To add more than one IP address, run this command for each applicable IP address.

-d <IP Address>

Removes the specified IP addresses from the deny-list.

To remove more than one IP address, run this command for each applicable IP address.

-F

Removes (flushes) all IP addresses from the IP deny-list.

-M {on | off}

Enables (on) or disables (off) the monitor-only mode for the IP deny-list.

By default, the monitor-only mode is disabled.

In the monitor-only mode you can test the IP deny-list without blocking the traffic.

This command affects only the IP deny-list (does not affect the fw samp rules, etc.).

-m

Shows the current status of the monitor-only mode for the IP deny-list (enabled or disabled).

-N "<Name of IP Deny-list>"

Configures the name for the IP deny-list.

This name appears in the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. logs.

Notes:

Maximal length is 79 characters.
You must only use ASCII characters.

-n

Shows the configured name for the IP deny-list.

-s

Shows the configured deny-list.

Example from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos deny -s
The deny list is empty
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -a 1.1.1.1
Adding 1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
1.1.1.1
[Expert@MyGW:0]# fwaccel dos deny -a 2.2.2.2
Adding 2.2.2.2
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
2.2.2.2
1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -d 2.2.2.2
Deleting 2.2.2.2
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -F
All deny list entries deleted
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
The deny list is empty
[Expert@MyGW:0]#