Forwarding specific inbound-connections to the SMO (asg_excp_conf)

You can configure the Security GroupClosed A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. to forward specific inbound connections to the SMO Security Group Member.

Important:

  • This command supports only IPv4 connections.

  • This command does not support local connections.

  • In VSX mode, you must run this command in the context of the applicable Virtual System.

  • This command supports a maximum of 15 exceptions

    (in VSX mode, this limit is global for all Virtual Systems).

  • These exceptions are saved in the $FWDIR/tmp/tmp_exception_entries.txt file (IPv4 addresses are converted to a special format).

Syntax

asg_excp_conf

      clear

      del <ID>

      get

      set <type> <src_ip> <sport> <dst_ip> <dport>

Parameters

Parameter

Description

clear

Clears the table with all exception entries.

del <ID>

Deletes a specific exception entry by its ID.

Use the "get" parameter to see the IDs.

ID numbers start from 0 (zero).

get

Shows the table with all exception entries.

set <type> <src_ip> <sport> <dst_ip> <dport>

Configures a new exception entry.

Notes:

  • This command does not support wildcard characters (* or ?) or the word "any".

    You must always configure the exact values of the connection 4-tuple.

  • The order of these arguments is predefined (for example, "<src_ip>" is always the second argument).

Arguments:

  • <type>

    Configures the match condition - which connection parameters the Security Group must consider.

    Although you configure all connection parameters, the Security Group uses only specific parameters determined by the <type> value.

    Value

    Description

    1

    Match the inbound connection by the source IPv4 address only

    2

    Match the inbound connection by the destination IPv4 address only

    3

    Match the inbound connection by the source port only

    4

    Match the inbound connection by the destination port only

    5

    Match the inbound connection by all these parameters:

    • source IPv4 address

    • destination IPv4 address

    6

    Match the inbound connection by all these parameters:

    • source IPv4 address

    • source port

    7

    Match the inbound connection by all these parameters:

    • source IPv4 address

    • destination port

    8

    Match the inbound connection by all these parameters:

    • source port

    • destination IPv4 address

    9

    Match the inbound connection by all these parameters:

    • destination IPv4 address

    • destination port

    10

    Match the inbound connection by all these parameters:

    • source port

    • destination port

    11

    Match the inbound connection by all these parameters:

    • source IPv4 address

    • source port

    • destination IPv4 address

    12

    Match the inbound connection by all these parameters:

    • source IPv4 address

    • destination IPv4 address

    • destination port

    13

    Match the inbound connection by all these parameters:

    • source IPv4 address

    • source port

    • destination port

    14

    Match the inbound connection by by all these parameters:

    • source port

    • destination IPv4 address

    • destination port

    15

    Match the inbound connection by all these parameters:

    • source IPv4 address

    • source port

    • destination IPv4 address

    • destination port

  • <src_ip>

    Configures the Source IPv4 address

  • <sport>

    Configures the Source port

  • <dst_ip>

    Configures the Destination IPv4 address

  • <dport>

    Configures the Destination port

Examples

[Expert@HostName-ch0x-0x:0] asg_excp_conf set 2 192.168.20.30 40000 172.16.40.50 80
1_01:
Exception entry added successfuly.
1_02:
Exception entry added successfuly.
1_03:
Exception entry added successfuly.
1_04:
Exception entry added successfuly.
2_01:
Exception entry added successfuly.
2_02:
Exception entry added successfuly.
2_03:
Exception entry added successfuly.
2_04:
Exception entry added successfuly.
[Expert@HostName-ch0x-0x:0]
 
[Expert@HostName-ch0x-0x:0] asg_excp_conf get
1_01:
------------------------------------------------------ Exceptions table: ------------------------------------------------------
0 : Exception Type 2 , Source IP: 192.168.20.30  , Source Port: 40000 , Destination IP: 172.16.40.50    Destination Port     80
1 : Exception Type 4 , Source IP: 192.168.20.30  , Source Port: 50000 , Destination IP: 172.16.40.50    Destination Port   8080
-------------------------------------------------------------------------------------------------------------------------------
1_02:
------------------------------------------------------ Exceptions table: ------------------------------------------------------
0 : Exception Type 2 , Source IP: 192.168.20.30  , Source Port: 40000 , Destination IP: 172.16.40.50    Destination Port     80
1 : Exception Type 4 , Source IP: 192.168.20.30  , Source Port: 50000 , Destination IP: 172.16.40.50    Destination Port   8080
-------------------------------------------------------------------------------------------------------------------------------
1_03:
------------------------------------------------------ Exceptions table: ------------------------------------------------------
0 : Exception Type 2 , Source IP: 192.168.20.30  , Source Port: 40000 , Destination IP: 172.16.40.50    Destination Port     80
1 : Exception Type 4 , Source IP: 192.168.20.30  , Source Port: 50000 , Destination IP: 172.16.40.50    Destination Port   8080
-------------------------------------------------------------------------------------------------------------------------------
1_04:
------------------------------------------------------ Exceptions table: ------------------------------------------------------
0 : Exception Type 2 , Source IP: 192.168.20.30  , Source Port: 40000 , Destination IP: 172.16.40.50    Destination Port     80
1 : Exception Type 4 , Source IP: 192.168.20.30  , Source Port: 50000 , Destination IP: 172.16.40.50    Destination Port   8080
-------------------------------------------------------------------------------------------------------------------------------
2_01:
------------------------------------------------------ Exceptions table: ------------------------------------------------------
0 : Exception Type 2 , Source IP: 192.168.20.30  , Source Port: 40000 , Destination IP: 172.16.40.50    Destination Port     80
1 : Exception Type 4 , Source IP: 192.168.20.30  , Source Port: 50000 , Destination IP: 172.16.40.50    Destination Port   8080
-------------------------------------------------------------------------------------------------------------------------------
2_02:
------------------------------------------------------ Exceptions table: ------------------------------------------------------
0 : Exception Type 2 , Source IP: 192.168.20.30  , Source Port: 40000 , Destination IP: 172.16.40.50    Destination Port     80
1 : Exception Type 4 , Source IP: 192.168.20.30  , Source Port: 50000 , Destination IP: 172.16.40.50    Destination Port   8080
-------------------------------------------------------------------------------------------------------------------------------
2_03:
------------------------------------------------------ Exceptions table: ------------------------------------------------------
0 : Exception Type 2 , Source IP: 192.168.20.30  , Source Port: 40000 , Destination IP: 172.16.40.50    Destination Port     80
1 : Exception Type 4 , Source IP: 192.168.20.30  , Source Port: 50000 , Destination IP: 172.16.40.50    Destination Port   8080
-------------------------------------------------------------------------------------------------------------------------------
2_04:
------------------------------------------------------ Exceptions table: ------------------------------------------------------
0 : Exception Type 2 , Source IP: 192.168.20.30  , Source Port: 40000 , Destination IP: 172.16.40.50    Destination Port     80
1 : Exception Type 4 , Source IP: 192.168.20.30  , Source Port: 50000 , Destination IP: 172.16.40.50    Destination Port   8080
-------------------------------------------------------------------------------------------------------------------------------
[Expert@HostName-ch0x-0x:0]
 
[Expert@HostName-ch0x-0x:0]# asg_excp_conf del 0
1_01:
Exception ID 0 deleted
1_02:
Exception ID 0 deleted
1_03:
Exception ID 0 deleted
1_04:
Exception ID 0 deleted
2_01:
Exception ID 0 deleted
2_02:
Exception ID 0 deleted
2_03:
Exception ID 0 deleted
2_04:
Exception ID 0 deleted
[Expert@HostName-ch0x-0x:0]
 
[Expert@HostName-ch0x-0x:0] asg_excp_conf clear
1_01:
Exception table cleared
1_02:
Exception table cleared
1_03:
Exception table cleared
1_04:
Exception table cleared
2_01:
Exception table cleared
2_02:
Exception table cleared
2_03:
Exception table cleared
2_04:
Exception table cleared
[Expert@HostName-ch0x-0x:0]