fw sam_policy get

Description

The "fw sam_policy get" and "fw6 sam_policy get" commands:

Show all the configured Suspicious Activity Monitoring (SAM) rules.
Show all the configured Rate Limiting rules.

Notes:

These commands are interchangeable:
- For IPv4: "fw sam_policy" and "fw samp".
- For IPv6: "fw6 sam_policy" and "fw6 samp".
You can run these commands in Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)., or Expert mode.
Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. stores the SAM Policy rules in the $FWDIR/database/sam_policy.db file.
Security Gateway stores the SAM Policy management settings in the $FWDIR/database/sam_policy.mng file.

Important:

Configuration you make with these commands, survives reboot.
VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode does not support Suspicious Activity Policy configured in SmartView Monitor. See sk79700.
In VSX mode, you must go to the context of an applicable Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS..
- In Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Clish, run: set virtual-system <VSID>
- In the Expert mode, run: vsenv <VSID>
In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.

Best Practice - The SAM Policy rules consume some CPU resources on Security Gateway. Set an expiration for rules that gives you time to investigate, but does not affect performance. Keep only the required SAM Policy rules. If you confirm that an activity is risky, edit the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., educate users, or otherwise handle the risk.

Syntax for IPv4

fw [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t <Type> [+{-v '<Value>'}] [-n]]

Syntax for IPv6

fw6 [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t <Type> [+{-v '<Value>'}] [-n]]

Parameters

Note - All these parameters are optional.

Parameter

Description

-d

Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or use the script command to save the entire CLI session.

-l

Controls how to print the rules:

In the default format (without "-l"), the output shows each rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. on a separate line.
In the list format (with "-l"), the output shows each parameter of a rule on a separate line.
See the "fw sam_policy add" command.

-u '<Rule UID>'

Prints the rule specified by its Rule UID or its zero-based rule index.

The quote marks and angle brackets ('<...>') are mandatory.

-k '<Key>'

Prints the rules with the specified predicate key.

The quote marks are mandatory.

-t <Type>

Prints the rules with the specified predicate type.

For Rate Limiting rules, you must always use "-t in".

+{-v '<Value>'}

Prints the rules with the specified predicate values.

The quote marks are mandatory.

-n

Negates the condition specified by these predicate parameters:

-k
-t
+-v

Examples

Example 4 - Printing rules that match the specified filters

[Expert@HostName:0]# fw samp get

no corresponding SAM policy requests

[Expert@HostName:0]#

[Expert@HostName:0]# fw samp add -a d -l r -t 3600 quota service any source range:172.16.7.11-172.16.7.13 new-conn-rate 5 flush true

[Expert@HostName:0]#

[Expert@HostName:0]# fw samp add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true source cc:QQ byte-rate 0

[Expert@HostName:0]#

[Expert@HostName:0]# fw samp add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

[Expert@HostName:0]#

[Expert@HostName:0]# fw samp add -a d quota service any source-negated true source cc:QQ concurrent-conns-ratio 655 track source

[Expert@HostName:0]#

[Expert@HostName:0]# fw samp get

operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota

operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3586 action=drop log=log service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota

operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota

operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota

[Expert@HostName:0]#

[Expert@HostName:0]# fw samp get -k 'service' -t in -v '6/80'

operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota

[Expert@HostName:0]#

[Expert@HostName:0]# fw samp get -k 'service-negated' -t in -v 'true'

operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota

[Expert@HostName:0]#

[Expert@HostName:0]# fw samp get -k 'source' -t in -v 'cc:QQ'

operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota

operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota

[Expert@HostName:0]#

[Expert@HostName:0]# fw samp get -k source -t in -v 'cc:QQ' -n

operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3291 action=drop log=log service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota

operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota

[Expert@HostName:0]#

[Expert@HostName:0]# fw samp get -k 'source-negated' -t in -v 'true'

operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota

[Expert@HostName:0]#

[Expert@HostName:0]# fw samp get -k 'byte-rate' -t in -v '0'

operation=add uid=<5baa9431,00000000,860318ac,00002efd> target=all timeout=indefinite action=notify log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota

[Expert@HostName:0]#

[Expert@HostName:0]# fw samp get -k 'flush' -t in -v 'true'

operation=add uid=<5baa9422,00000000,860318ac,00002eea> target=all timeout=2841 action=drop log=log service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota

[Expert@HostName:0]#

[Expert@HostName:0]# fw samp get -k 'concurrent-conns-ratio' -t in -v '655'

operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota

[Expert@HostName:0]#