sam_alert

Description

For SAM v1, this utility executes Suspicious Activity Monitoring (SAM) actions according to the information received from the standard input.

For SAM v2, this utility executes Suspicious Activity Monitoring (SAM) actions with User Defined Alerts mechanism.

Important:

You must run this command on the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..
You can run this command only in the Expert mode.

On a Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., you must run this command in the context of the applicable Domain Management Server Virtual Security Management Server that manages Security Gateways for one Domain, as part of a Multi-Domain Security Management environment. Acronym: DMS.:

mdsenv <IP Address or Name of Domain Management Server>

Notes:

VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateways and VSX Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members do not support Suspicious Activity Monitoring (SAM) Rules. See sk79700.
See the fw sam and fw sam_policy commands.

SAM v1 syntax

sam_alert [-v] [-o] [-s <SAM Server>] [-t <Time>] [-f <Security Gateway>] [-C] {-n|-i|-I} {-src|-dst|-any|-srv}

Parameters for SAM v1

Parameter

Description

-v

Enables the verbose mode for the "fw sam" command.

-o

Specifies to print the input of this tool to the standard output (to use with pipes in a CLI syntax).

-s <SAM Server>

Specifies the SAM Server to be contacted. Default is "localhost".

-t <Time>

Specifies the time (in seconds), during which to enforce the action. The default is forever.

-f <Security Gateway>

Specifies the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Cluster object, on which to run the operation.

Important - If you do not specify the target Security Gateway / Cluster object explicitly, this command applies to all managed Security Gateways and Clusters.

-C

Cancels the specified operation.

-n

Specifies to notify every time a connection, which matches the specified criteria, passes through the Security Gateway / ClusterXL Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic. / Security Group.

-i

Inhibits (drops or rejects) connections that match the specified criteria.

-I

Inhibits (drops or rejects) connections that match the specified criteria and closes all existing connections that match the specified criteria.

-src

Matches the source address of connections.

-dst

Matches the destination address of connections.

-any

Matches either the source or destination address of connections.

-srv

Matches specific source, destination, protocol and port.

SAM v2 syntax

sam_alert -v2 [-v] [-O] [-S <SAM Server>] [-t <Time>] [-f <Security Gateway>] [-n <Name>] [-c "<Comment">] [-o <Originator>] [-l {r | a}] -a {d | r| n | b | q | i} [-C] {-ip |-eth} {-src|-dst|-any|-srv}

Parameters for SAM v2

Parameter

Description

-v2

Specifies to use SAM v2.

-v

Enables the verbose mode for the "fw sam" command.

-O

Specifies to print the input of this tool to the standard output (to use with pipes in a CLI syntax).

-S <SAM Server>

Specifies the SAM server to be contacted. Default is "localhost".

-t <Time>

Specifies the time (in seconds), during which to enforce the action. The default is forever.

-f <Security Gateway>

Specifies the Security Gateway / Cluster object, on which to run the operation.

Important - If you do not specify the target Security Gateway / Cluster object explicitly, this command applies to all managed Security Gateways and Clusters.

-n <Name>

Specifies the name for the SAM rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..

Default is empty.

-c "<Comment>"

Specifies the comment for the SAM rule.

Default is empty.

You must enclose the text in the double quotes or single quotes.

-o <Originator>

Specifies the originator for the SAM rule.

Default is "sam_alert".

-l {r | a}

Specifies the log type for connections that match the specified criteria:

r - Regular
a - Alert

Default is None.

-a {d | r| n | b | q | i}

Specifies the action to apply on connections that match the specified criteria:

d - Drop
r - Reject
n - Notify
b - Bypass
q - Quarantine
i - Inspect

-C

Specifies to close all existing connections that match the criteria.

-ip

Specifies to use IP addresses as criteria parameters.

-eth

Specifies to use MAC addresses as criteria parameters.

-src

Matches the source address of connections.

-dst

Matches the destination address of connections.

-any

Matches either the source or destination address of connections.

-srv

Matches specific source, destination, protocol and port.

Example

See sk110873: How to configure Security Gateway to detect and prevent port scan.