fwaccel synatk allow

Description

The "fwaccel synatk allow" and "fwaccel6 synatk allow" commands control the Accelerated SYN Defender allow-list.

Notes:

This allow-list overrides which packet the Accelerated SYN Defender drops. Before you use a 3rd-party or automatic blacklists, add trusted networks and hosts to the allow-list to avoid outages.
Also, see the fwaccel dos allow command.

Important - In Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure the Rate Limiting in the same way on all the Cluster Members.

Syntax for IPv4

fwaccel synatk allow

-a <IPv4 Address>[/<Subnet Prefix>]

-d <IPv4 Address>[/<Subnet Prefix>]

-F

-l /<Path>/<Name of File>

-L

-s

Syntax for IPv6

fwaccel6 synatk allow

-a <IPv6 Address>[/<Subnet Prefix>]

-d <IPv6 Address>[/<Subnet Prefix>]

-F

-l /<Path>/<Name of File>

-L

-s

Parameters

Parameter

Description

No Parameters

Shows the applicable built-in usage.

-a <IPv4 Address>[/<Subnet Prefix>]

Adds the specified IPv4 address to the Accelerated SYN Defender allow-list.

<IPv4 Address>

Can be an IPv4 address of a network or a host.

<Subnet Prefix>

Must specify the length of the subnet mask in the format /<bits>.

Optional for a host IPv4 address.

Mandatory for a network IPv4 address.

Range - from /1 to /32.

Important - If you do not specify the subnet prefix explicitly, this command uses the subnet prefix /32.

Examples:

For a host:

192.168.20.30

192.168.20.30/32
For a network:

192.168.20.0/24

-a <IPv6 Address>[/<Subnet Prefix>]

Adds the specified IPv6 address to the Accelerated SYN Defender allow-list.

<IPv6 Address>

Can be an IPv6 address of a network or a host.

<Subnet Prefix>

Must specify the length of the subnet mask in the format /<bits>.

Optional for a host IPv6 address.

Mandatory for a network IPv6 address.

Range - from /1 to /128.

Important - If you do not specify the subnet prefix explicitly, this command uses the subnet prefix /128.

Examples:

For a host:

2001:0db8:85a3:0000:0000:8a2e:0370:7334

2001:0db8:85a3:0000:0000:8a2e:0370:7334/128
For a network:

2001:cdba:9abc:5678::/64

-d <IPv4 Address>[/<Subnet Prefix>]

Removes the specified IPv4 address from the Accelerated SYN Defender allow-list.

<IPv4 Address>

Can be an IPv4 address of a network or a host.

<Subnet Prefix>

Optional. Must specify the length of the subnet mask in the format /<bits>.

Optional for a host IPv4 address.

Mandatory for a network IPv4 address.

Range - from /1 to /32.

Important - If you do not specify the subnet prefix explicitly, this command uses the subnet prefix /32.

-d <IPv6 Address>[/<Subnet Prefix>]

Removes the specified IPv6 address from the Accelerated SYN Defender allow-list.

<IPv6 Address>

Can be an IPv6 address of a network or a host.

<Subnet Prefix>

Optional. Must specify the length of the subnet mask in the format /<bits>.

Optional for a host IPv6 address.

Mandatory for a network IPv6 address.

Range - from /1 to /128.

Important - If you do not specify the subnet prefix explicitly, this command uses the subnet prefix /128.

-F

Removes (flushes) all entries from the Accelerated SYN Defender allow-list.

-l /<Path>/<Name of File>

Loads the Accelerated SYN Defender allow-list entries from the specified plain-text file.

Note - To replace the current allow-list with the contents of a new file, use both the -F and -l parameters on the same command line.

Important:

You must manually create and configure this file with the touch or vi command.
You must assign at least the read permission to this file with the chmod +x command.
Each entry in this file must be on a separate line.
Each entry in this file must be in this format:

<IPv4 Address>[/<Subnet Prefix>]
SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. ignores empty lines and lines that start with the # character in this file.

-L

Loads the Accelerated SYN Defender allow-list entries from the plain-text file with a predefined name:

$FWDIR/conf/synatk-allow-list-v4.conf

Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. automatically runs these commands "{fwaccel | fwaccel6} synatk allow -L" during each boot.

Note - To replace the current allow-list with the contents of a new file, use both the "-F" and "-L" parameters on the same command line.

Important:

This file does not exist by default.
You must manually create and configure this file with the touch or vi command.
You must assign at least the read permission to this file with the chmod +x command..
Each entry in this file must be on a separate line.
Each entry in this file must be in this format:

<IPv4 Address>[/<Subnet Prefix>]
SecureXL ignores empty lines and lines that start with the # character in this file.

-s

Shows the current Accelerated SYN Defender allow-list entries.

Example

[Expert@MyGW:0]# fwaccel synatk allow -a 192.168.20.0/24
[Expert@MyGW:0]# fwaccel synatk allow -s
192.168.20.0/24
[Expert@MyGW:0]# fwaccel synatk allow -d 192.168.20.0/24
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel synatk allow -a 192.168.40.55
[Expert@MyGW:0]# fwaccel synatk allow -s
192.168.40.55/32
[Expert@MyGW:0]# fwaccel synatk allow -d 192.168.40.55