fw sam

Description

Manages the Suspicious Activity Monitoring (SAM) rules. You can use the SAM rules to block connections to and from IP addresses without the need to change or reinstall the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection.. For more information, see sk112061.

You can create the Suspicious Activity Rules in two ways:

In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. from Monitoring Results
In CLI with the fw sam command

Notes:

VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateways and VSX Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members do not support Suspicious Activity Monitoring (SAM) Rules. See sk79700.
See the "fw sam_policy" and "sam_alert" commands.

SAM rules consume some CPU resources on Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

Best Practice - The SAM Policy rules consume some CPU resources on Security Gateway. Set an expiration for rules that gives you time to investigate, but does not affect performance. Keep only the required SAM Policy rules. If you confirm that an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

Logs for enforced SAM rules (configured with the fw sam command) are stored in the $FWDIR/log/sam.dat file.

By design, the file is purged when the number of stored entries reaches 100,000.

This data log file contains the records in one of these formats:

<type>,<actions>,<expire>,<ipaddr>

<type>,<actions>,<expire>,<src>,<dst>,<dport>,<ip_p>

SAM Requests are stored on the Security Gateway in the kernel table sam_requests.
IP Addresses that are blocked by SAM rules, are stored on the Security Gateway in the kernel table sam_blocked_ips.

Note - To configure SAM Server settings for a Security Gateway or Cluster:

Connect with SmartConsole to the applicable Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..
From the left navigation panel, click Gateways & Servers.
Open the Security Gateway or Cluster object.
From the left tree, click Other > SAM.
Configure the settings.
Click OK.
Install the Access Control Policy on this Security Gateway or Cluster object.

Syntax

To add or cancel a SAM rule according to criteria:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>] [-f <Security Gateway>] [-t <Timeout>] [-l <Log Type>] [-C] [-e <key=val>]+ [-r] -{n|i|I|j|J} <Criteria>

To delete all SAM rules:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>] [-f <Security Gateway>] -D

To monitor all SAM rules:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>] [-f <Security Gateway>] [-r] -M -{i|j|n|b|q} all

To monitor SAM rules according to criteria:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>] [-f <Security Gateway>] [-r] -M -{i|j|n|b|q} <Criteria>

Parameters

Parameter

Description

-d

Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or use the script command to save the entire CLI session.

-v

Enables verbose mode.

In this mode, the command writes one message to stderr for each Security Gateway, on which the command is enforced. These messages show whether the command was successful or not.

-s <SAM Server>

Specifies the IP address (in the X.X.X.X format) or resolvable HostName of the Security Gateway that enforces the command.

The default is localhost.

-S <SIC Name of SAM Server>

Specifies the SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. name for the SAM server to be contacted. It is expected that the SAM server has this SIC name, otherwise the connection fails.

Notes:

If you do not explicitly specify the SIC name, the connection continues without SIC names comparison.
For more information about enabling SIC, refer to the OPSEC API Specification.
On VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0., run the fw vsx showncs -vs <VSID> command to show the SIC name for the applicable Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS..

-f <Security Gateway>

Specifies the Security Gateway, on which to enforce the action.

<Security Gateway> can be one of these:

All - Default. Specifies to enforce the action on all managed Security Gateways, where SAM Server runs.

You can use this syntax only on Security Management Server or Domain Management Server Virtual Security Management Server that manages Security Gateways for one Domain, as part of a Multi-Domain Security Management environment. Acronym: DMS..
localhost - Specifies to enforce the action on this local Check Point computer (on which the fw sam command is executed).

You can use this syntax only on Security Gateway or StandAlone Configuration in which the Security Gateway and the Security Management Server products are installed and configured on the same server..
Gateways - Specifies to enforce the action on all objects defined as Security Gateways, on which SAM Server runs.

You can use this syntax only on Security Management Server or Domain Management Server.
Name of Security Gateway object - Specifies to enforce the action on this specific Security Gateway object.

You can use this syntax only on Security Management Server or Domain Management Server.
Name of Group object - Specifies to enforce the action on all specific Security Gateways in this Group object.

Notes:

You can use this syntax only on Security Management Server or Domain Management Server.
VSX Gateways and VSX Cluster Members do not support Suspicious Activity Monitoring (SAM) Rules. See sk79700.

-D

Cancels all inhibit ("-i", "-j", "-I", "-J") and notify ("-n") parameters.

Notes:

To "uninhibit" the inhibited connections, run the fw sam command with the "-C" or "-D" parameters.
It is also possible to use this command for active State of a Cluster Member that is fully operational: (1) In ClusterXL, this applies to the state of the Security Gateway component (2) In 3rd-party / OPSEC cluster, this applies to the state of the cluster State Synchronization mechanism. SAM requests.

-C

Cancels the fw sam command to inhibit connections with the specified parameters.

Notes:

These connections are no longer inhibited (no longer rejected or dropped).
The command parameters must match the parameters in the original fw sam command, except for the -t <Timeout> parameter.

-t <Timeout>

Specifies the time period (in seconds), during which the action is enforced.

The default is forever, or until you cancel the fw sam command.

-l <Log Type>

Specifies the type of the log for enforced action:

nolog - Does not generate Log / Alert at all
short_noalert - Generates a Log
short_alert - Generates an Alert
long_noalert - Generates a Log
long_alert - Generates an Alert (this is the default)

-e <key=val>+

Specifies rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. information based on the keys and the provided values.

Multiple keys are separated by the plus sign (+).

Available keys are (each is limited to 100 characters):

name - Security rule name
comment - Security rule comment
originator - Security rule originator's username

-r

Specifies not to resolve IP addresses.

-n

Specifies to generate a "Notify" long-format log entry.

Notes:

This parameter generates an alert when connections that match the specified services or IP addresses pass through the Security Gateway.
This action does not inhibit / close connections.

-i

Inhibits (drops or rejects) new connections with the specified parameters.

Notes:

Each inhibited connection is logged according to the log type.
Matching connections are rejected.

-I

Inhibits (drops or rejects) new connections with the specified parameters, and closes all existing connections with the specified parameters.

Notes:

Matching connections are rejected.
Each inhibited connection is logged according to the log type.

-j

Inhibits (drops or rejects) new connections with the specified parameters.

Notes:

Matching connections are dropped.
Each inhibited connection is logged according to the log type.

-J

Inhibits new connections with the specified parameters, and closes all existing connections with the specified parameters.

Notes:

Matching connections are dropped.
Each inhibited connection is logged according to the log type.

-b

Bypasses new connections with the specified parameters.

-q

Quarantines new connections with the specified parameters.

-M

Monitors the active SAM requests with the specified actions and criteria.

all

Gets all active SAM requests. This is used for monitoring purposes only.

<Criteria>

Criteria are used to match connections.

The criteria and are composed of various combinations of the following parameters:

Source IP Address
Source Netmask
Destination IP Address
Destination Netmask
Port (see IANA Service Name and Port Number Registry)
Protocol Number (see IANA Protocol Numbers)

Possible combinations are (see the explanations below this table):

src <IP>
dst <IP>
any <IP>
subsrc <IP> <Netmask>
subdst <IP> <Netmask>
subany <IP> <Netmask>
srv <Src IP> <Dest IP> <Port> <Protocol>
subsrv <Src IP> <Src Netmask> <Dest IP> <Dest Netmask> <Port> <Protocol>
subsrvs <Src IP> <Src Netmask> <Dest IP> <Port> <Protocol>
subsrvd <Src IP> <Dest IP> <Dest Netmask> <Port> <Protocol>
dstsrv <Dest IP> <Port> <Protocol>
subdstsrv <Dest IP> <Dest Netmask> <Port> <Protocol>
srcpr <IP> <Protocol>
dstpr <IP> <Protocol>
subsrcpr <IP> <Netmask> <Protocol>
subdstpr <IP> <Netmask> <Protocol>
generic <key=val>

Explanation for the <Criteria> syntax

Parameter	Description
`src <IP>`	Matches the Source IP address of the connection.
`dst <IP>`	Matches the Destination IP address of the connection.
`any <IP>`	Matches either the Source IP address or the Destination IP address of the connection.
`subsrc <IP> <Netmask>`	Matches the Source IP address of the connections according to the netmask.
`subdst <IP> <Netmask>`	Matches the Destination IP address of the connections according to the netmask.
`subany <IP> <Netmask>`	Matches either the Source IP address or Destination IP address of connections according to the netmask.
`srv <Src IP> <Dest IP> <Port> <Protocol>`	Matches the specific Source IP address, Destination IP address, Service (port number) and Protocol.
`subsrv <Src IP> <Netmask> <Dest IP> <Netmask> <Port> <Protocol>`	Matches the specific Source IP address, Destination IP address, Service (port number) and Protocol. Source and Destination IP addresses are assigned according to the netmask.
`subsrvs <Src IP> <Src Netmask> <Dest IP> <Port> <Protocol>`	Matches the specific Source IP address, source netmask, destination netmask, Service (port number) and Protocol.
`subsrvd <Src IP> <Dest IP> <Dest Netmask> <Port> <Protocol>`	Matches specific Source IP address, Destination IP, destination netmask, Service (port number) and Protocol.
`dstsrv <Dest IP> <Service> <Protocol>`	Matches specific Destination IP address, Service (port number) and Protocol.
`subdstsrv <Dest IP> <Netmask> <Port> <Protocol>`	Matches specific Destination IP address, Service (port number) and Protocol. Destination IP address is assigned according to the netmask.
`srcpr <IP> <Protocol>`	Matches the Source IP address and protocol.
`dstpr <IP> <Protocol>`	Matches the Destination IP address and protocol.
`subsrcpr <IP> <Netmask> <Protocol>`	Matches the Source IP address and protocol of connections. Source IP address is assigned according to the netmask.
`subdstpr <IP> <Netmask> <Protocol>`	Matches the Destination IP address and protocol of connections. Destination IP address is assigned according to the netmask.
`generic <key=val>+`	Matches the GTP connections based on the specified keys and provided values. Multiple keys are separated by the plus sign (+). Available keys are: `service=gtp` `imsi` `msisdn` `apn` `tunl_dst` `tunl_dport` `tunl_proto`