fw sam_policy add

Description

The "fw sam_policy add" and "fw6 sam_policy add" commands:

Add one Suspicious Activity Monitoring (SAM) rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. at a time.
Add one Rate Limiting rule at a time.

Notes:

These commands are interchangeable:
- For IPv4: "fw sam_policy" and "fw samp".
- For IPv6: "fw6 sam_policy" and "fw6 samp".
You can run these commands in Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)., or Expert mode.
Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. stores the SAM Policy rules in the $FWDIR/database/sam_policy.db file.
Security Gateway stores the SAM Policy management settings in the $FWDIR/database/sam_policy.mng file.

Important:

Configuration you make with these commands, survives reboot.
VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode does not support Suspicious Activity Policy configured in SmartView Monitor. See sk79700.
In VSX mode, you must go to the context of an applicable Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS..
- In Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Clish, run: set virtual-system <VSID>
- In the Expert mode, run: vsenv <VSID>
In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.

Best Practice - The SAM Policy rules consume some CPU resources on Security Gateway. Set an expiration for rules that gives you time to investigate, but does not affect performance. Keep only the required SAM Policy rules. If you confirm that an activity is risky, edit the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., educate users, or otherwise handle the risk.

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

Syntax to configure a Rate Limiting rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule Originator">] [-z "<Zone>"] quota <Quota Filter Arguments>

Syntax to configure a Rate Limiting rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule Originator">] [-z "<Zone>"] quota <Quota Filter Arguments

Parameters

Parameter

Description

-d

Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or use the script command to save the entire CLI session.

-u

Optional.

Specifies that the rule category is User-defined.

Default rule category is Auto.

-a {d | n | b}

Mandatory.

Specifies the rule action if the traffic matches the rule conditions:

d - Drop the connection.
n - Notify (generate a log) about the connection and let it through.
b - Bypass the connection - let it through without checking it against the policy rules.

Note - Rules with action set to Bypass cannot have a log or limit specification. Bypassed packets and connections do not count towards overall number of packets and connection for limit enforcement of type ratio.

-l {r | a}

Optional.

Specifies which type of log to generate for this rule for all traffic that matches:

-r - Generate a regular log
-a - Generate an alert log

-t <Timeout>

Optional.

Specifies the time period (in seconds), during which the rule will be enforced.

Default timeout is indefinite.

-f <Target>

Optional.

Specifies the target Security Gateways, on which to enforce the Rate Limiting rule.

<Target> can be one of these:

all - This is the default option. Specifies that the rule should be enforced on all managed Security Gateways.
Name of the Security Gateway or Cluster object - Specifies that the rule should be enforced only on this Security Gateway or Cluster object (the object name must be as defined in the SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.).
Name of the Group object - Specifies that the rule should be enforced on all Security Gateways that are members of this Group object (the object name must be as defined in the SmartConsole).

-n "<Rule Name>"

Optional.

Specifies the name (label) for this rule.

Notes:

You must enclose this string in double quotes.
The length of this string is limited to 128 characters.

Before each space or a backslash character in this string, you must write a backslash (\) character. Example:

"This\ is\ a\ rule\ name\ with\ a\ backslash\ \\"

-c "<Rule Comment>"

Optional.

Specifies the comment for this rule.

Notes:

You must enclose this string in double quotes.
The length of this string is limited to 128 characters.

Before each space or a backslash character in this string, you must write a backslash (\) character. Example:

"This\ is\ a\ comment\ with\ a\ backslash\ \\"

-o "<Rule Originator>"

Optional.

Specifies the name of the originator for this rule.

Notes:

You must enclose this string in double quotes.
The length of this string is limited to 128 characters.

Before each space or a backslash character in this string, you must write a backslash (\) character. Example:

"Created\ by\ John\ Doe"

-z "<Zone>"

Optional.

Specifies the name of the Security Zone for this rule.

Notes:

You must enclose this string in double quotes.
The length of this string is limited to 128 characters.

ip <IP Filter Arguments>

Mandatory (use this ip parameter, or the quota parameter).

Configures the Suspicious Activity Monitoring (SAM) rule.

Specifies the IP Filter Arguments for the SAM rule (you must use at least one of these options):

[-C] [-s <Source IP>] [-m <Source Mask>] [-d <Destination IP>] [-M <Destination Mask>] [-p <Port>] [-r <Protocol>]

See the explanations below.

quota <Quota Filter Arguments>

Mandatory (use this quota parameter, or the ip parameter).

Configures the Rate Limiting rule.

Specifies the Quota Filter Arguments for the Rate Limiting rule (see the explanations below):

[flush true]
[source-negated {true | false}] source <Source>
[destination-negated {true | false}] destination <Destination>
[service-negated {true | false}] service <Protocol and Port numbers>
[<Limit1 Name> <Limit1 Value>] [<Limit2 Name> <Limit2 Value>] ...[<LimitN Name> <LimitN Value>]
[track <Track>]

Important:

The Quota rules are not applied immediately to the Security Gateway. They are only registered in the Suspicious Activity Monitoring (SAM) policy database. To apply all the rules from the SAM policy database immediately, add "flush true" in the fw samp add command syntax.
Explanation:

For new connections rate (and for any rate limiting in general), when a rule's limit is violated, the Security Gateway also drops all packets that match the rule.

The Security Gateway computes new connection rates on a per-second basis.

At the start of the 1-second timer, the Security Gateway allows all packets, including packets for existing connections.

If, at some point, during that 1 second period, there are too many new connections, then the Security Gateway blocks all remaining packets for the remainder of that 1-second interval.

At the start of the next 1-second interval, the counters are reset, and the process starts over - the Security Gateway allows packets to pass again up to the point, where the rule’s limit is violated.

Explanation for the IP Filter Arguments syntax for Suspicious Activity Monitoring (SAM) rules

Argument	Description
`-C`	Specifies that open connections should be closed.
`-s <Source IP>`	Specifies the Source IP address.
`-m <Source Mask>`	Specifies the Source subnet mask (in dotted decimal format - x.y.z.w).
`-d <Destination IP>`	Specifies the Destination IP address.
`-M <Destination Mask>`	Specifies the Destination subnet mask (in dotted decimal format - x.y.z.w).
`-p <Port>`	Specifies the port number (see IANA Service Name and Port Number Registry).
`-r <Protocol>`	Specifies the protocol number (see IANA Protocol Numbers).

Explanation for the Quota Filter Arguments syntax for Rate Limiting rules

Argument	Description
`flush true`	Specifies to compile and load the quota rule to the SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. immediately.
`[source-negated {true \| false}] source <Source>`	Specifies the source type and its value: `any` The rule is applied to packets sent from all sources. `range:<IP Address>` or `range:<IP Address Start>-<IP Address End>` The rule is applied to packets sent from: Specified IPv4 addresses (x.y.z.w) Specified IPv6 addresses (xxxx:yyyy:...:zzzz) `cidr:<IP Address>/<Prefix>` The rule is applied to packets sent from: IPv4 address with Prefix from 0 to 32 IPv6 address with Prefix from 0 to 128 `cc:<Country Code>` The rule matches the country code to the source IP addresses assigned to this country, based on the Geo IP database. The two-letter codes are defined in ISO 3166-1 alpha-2. `asn:<Autonomous System Number>` The rule matches the AS number of the organization to the source IP addresses that are assigned to this organization, based on the Geo IP database. The valid syntax is ASnnnn, where nnnn is a number unique to the specific organization. Notes: Default is: `source-negated false` The `source-negated true` processes all source types, except the specified type.
`[destination-negated {true \| false}] destination <Destination>`	Specifies the destination type and its value: `any` The rule is applied to packets sent to all destinations. `range:<IP Address>` or `range:<IP Address Start>-<IP Address End>` The rule is applied to packets sent to: Specified IPv4 addresses (x.y.z.w) Specified IPv6 addresses (xxxx:yyyy:...:zzzz) `cidr:<IP Address>/<Prefix>` The rule is applied to packets sent to: IPv4 address with Prefix from 0 to 32 IPv6 address with Prefix from 0 to 128 `cc:<Country Code>` The rule matches the country code to the destination IP addresses assigned to this country, based on the Geo IP database. The two-letter codes are defined in ISO 3166-1 alpha-2. `asn:<Autonomous System Number>` The rule matches the AS number of the organization to the destination IP addresses that are assigned to this organization, based on the Geo IP database. The valid syntax is ASnnnn, where nnnn is a number unique to the specific organization. Notes: Default is: `destination-negated false` The `destination-negated true` will process all destination types except the specified type
`[service-negated {true \| false}] service <Protocol and Port numbers>`	Specifies the Protocol number (see IANA Protocol Numbers) and Port number (see IANA Service Name and Port Number Registry): `<Protocol>` IP protocol number in the range 1-255 `<Protocol Start>-<Protocol End>` Range of IP protocol numbers `<Protocol>/<Port>` IP protocol number in the range 1-255 and TCP/UDP port number in the range 1-65535 `<Protocol>/<Port Start>-<Port End>` IP protocol number and range of TCP/UDP port numbers from 1 to 65535 Notes: Default is: `service-negated false` The `service-negated true` will process all traffic except the traffic with the specified protocols and ports
`[<Limit 1 Name> <Limit 1 Value>] [<Limit 2 Name> <Limit 2 Value>] ... [<Limit N Name> <Limit N Value>]`	Specifies quota limits and their values. Note - Separate multiple quota limits with spaces. `concurrent-conns <Value>` Specifies the maximal number of concurrent active State of a Cluster Member that is fully operational: (1) In ClusterXL, this applies to the state of the Security Gateway component (2) In 3rd-party / OPSEC cluster, this applies to the state of the cluster State Synchronization mechanism. connections that match this rule. `concurrent-conns-ratio <Value>` Specifies the maximal ratio of the concurrent-conns value to the total number of active connections through the Security Gateway, expressed in parts per 65536 (formula: `N / 65536`). `pkt-rate <Value>` Specifies the maximum number of packets per second that match this rule. `pkt-rate-ratio <Value>` Specifies the maximal ratio of the pkt-rate value to the rate of all connections through the Security Gateway, expressed in parts per 65536 (formula: `N / 65536`). `byte-rate <Value>` Specifies the maximal total number of bytes per second in packets that match this rule. `byte-rate-ratio <Value>` Specifies the maximal ratio of the byte-rate value to the bytes per second rate of all connections through the Security Gateway, expressed in parts per 65536 (formula: `N / 65536`). `new-conn-rate <Value>` Specifies the maximal number of connections per second that match the rule. `new-conn-rate-ratio <Value>` Specifies the maximal ratio of the new-conn-rate value to the rate of all connections per second through the Security Gateway, expressed in parts per 65536 (formula: `N / 65536`).
`[track <Track>]`	Specifies the tracking option: `source` Counts connections, packets, and bytes for specific source IP address, and not cumulatively for this rule. `source-service` Counts connections, packets, and bytes for specific source IP address, and for specific IP protocol and destination port, and not cumulatively for this rule.

Examples

Example 1 - Rate Limiting rule with a range

fw sam_policy add -a d -l r -t 3600 quota service any source range:172.16.7.11-172.16.7.13 new-conn-rate 5 flush true

Explanations:

This rule drops packets for all connections (-a d) that exceed the quota set by this rule, including packets for existing connections.
This rule logs packets (-l r) that exceed the quota set by this rule.
This rule will expire in 3600 seconds (-t 3600).
This rule limits the rate of creation of new connections to 5 connections per second (new-conn-rate 5) for any traffic (service any) from the source IP addresses in the range 172.16.7.11 - 172.16.7.13 (source range:172.16.7.11-172.16.7.13).

Note - The limit of the total number of log entries per second is configured with the fwaccel dos config set -n <rate> command.
This rule will be compiled and loaded on the SecureXL, together with other rules in the Suspicious Activity Monitoring (SAM) policy database immediately, because this rule includes the "flush true" parameter.

Example 2 - Rate Limiting rule with a service specification

fw sam_policy add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true source cc:QQ byte-rate 0

Explanations:

This rule logs and lets through all packets (-a n) that exceed the quota set by this rule.
This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete it explicitly.
This rule applies to all packets except (service-negated true) the packets with IP protocol number 1, 50-51, 6 port 443 and 17 port 53 (service 1,50-51,6/443,17/53).
This rule applies to all packets from source IP addresses that are assigned to the country with specified country code (cc:QQ).
This rule does not let any traffic through (byte-rate 0) except the packets with IP protocol number 1, 50-51, 6 port 443 and 17 port 53.
This rule will not be compiled and installed on the SecureXL immediately, because it does not include the "flush true" parameter.

Example 3 - Rate Limiting rule with ASN

fw sam_policy -a d quota source asn:AS64500,cidr:[::FFFF:C0A8:1100]/120 service any pkt-rate 0

Explanations:

This rule drops (-a d) all packets that match this rule.
This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete it explicitly.
This rule applies to packets from the Autonomous System number 64500 (asn:AS64500).
This rule applies to packets from source IPv6 addresses FFFF:C0A8:1100/120 (cidr:[::FFFF:C0A8:1100]/120).
This rule applies to all traffic (service any).
This rule does not let any traffic through (pkt-rate 0).
This rule will not be compiled and installed on the SecureXL immediately, because it does not include the "flush true" parameter.

Example 5 - Rate Limiting rule with tracking

fw sam_policy add -a d quota service any source-negated true source cc:QQ concurrent-conns-ratio 655 track source

Explanations:

This rule drops (-a d) all packets that match this rule.
This rule does not log any packets (the -l r parameter is not specified).
This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete it explicitly.
This rule applies to all traffic (service any).
This rule applies to all sources except (source-negated true) the source IP addresses that are assigned to the country with specified country code (cc:QQ).
This rule limits the maximal number of concurrent active connections to 655/65536=~1% (concurrent-conns-ratio 655) for any traffic (service any) except (service-negated true) the connections from the source IP addresses that are assigned to the country with specified country code (cc:QQ).
This rule counts connections, packets, and bytes for traffic only from sources that match this rule, and not cumulatively for this rule.
This rule will not be compiled and installed on the SecureXL immediately, because it does not include the "flush true" parameter.