fw sam_policy add

Description

The "fw sam_policy add" and "fw6 sam_policy add" commands:

Notes:

Important:

Best Practice - The SAM Policy rules consume some CPU resources on Security Gateway. Set an expiration for rules that gives you time to investigate, but does not affect performance. Keep only the required SAM Policy rules. If you confirm that an activity is risky, edit the Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., educate users, or otherwise handle the risk.

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

Syntax to configure a Rate Limiting rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule Originator">] [-z "<Zone>"] quota <Quota Filter Arguments>

Syntax to configure a Rate Limiting rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule Originator">] [-z "<Zone>"] quota <Quota Filter Arguments

Parameters

Parameter

Description

-d

Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or use the script command to save the entire CLI session.

-u

Optional.

Specifies that the rule category is User-defined.

Default rule category is Auto.

-a {d | n | b}

Mandatory.

Specifies the rule action if the traffic matches the rule conditions:

  • d - Drop the connection.

  • n - Notify (generate a log) about the connection and let it through.

  • b - Bypass the connection - let it through without checking it against the policy rules.

    Note - Rules with action set to Bypass cannot have a log or limit specification. Bypassed packets and connections do not count towards overall number of packets and connection for limit enforcement of type ratio.

-l {r | a}

Optional.

Specifies which type of log to generate for this rule for all traffic that matches:

  • -r - Generate a regular log

  • -a - Generate an alert log

-t <Timeout>

Optional.

Specifies the time period (in seconds), during which the rule will be enforced.

Default timeout is indefinite.

-f <Target>

Optional.

Specifies the target Security Gateways, on which to enforce the Rate Limiting rule.

<Target> can be one of these:

-n "<Rule Name>"

Optional.

Specifies the name (label) for this rule.

Notes:

  • You must enclose this string in double quotes.

  • The length of this string is limited to 128 characters.

  • Before each space or a backslash character in this string, you must write a backslash (\) character. Example:

    "This\ is\ a\ rule\ name\ with\ a\ backslash\ \\"

-c "<Rule Comment>"

Optional.

Specifies the comment for this rule.

Notes:

  • You must enclose this string in double quotes.

  • The length of this string is limited to 128 characters.

  • Before each space or a backslash character in this string, you must write a backslash (\) character. Example:

    "This\ is\ a\ comment\ with\ a\ backslash\ \\"

-o "<Rule Originator>"

Optional.

Specifies the name of the originator for this rule.

Notes:

  • You must enclose this string in double quotes.

  • The length of this string is limited to 128 characters.

  • Before each space or a backslash character in this string, you must write a backslash (\) character. Example:

    "Created\ by\ John\ Doe"

-z "<Zone>"

Optional.

Specifies the name of the Security Zone for this rule.

Notes:

  • You must enclose this string in double quotes.

  • The length of this string is limited to 128 characters.

ip <IP Filter Arguments>

Mandatory (use this ip parameter, or the quota parameter).

Configures the Suspicious Activity Monitoring (SAM) rule.

Specifies the IP Filter Arguments for the SAM rule (you must use at least one of these options):

[-C] [-s <Source IP>] [-m <Source Mask>] [-d <Destination IP>] [-M <Destination Mask>] [-p <Port>] [-r <Protocol>]

See the explanations below.

quota <Quota Filter Arguments>

Mandatory (use this quota parameter, or the ip parameter).

Configures the Rate Limiting rule.

Specifies the Quota Filter Arguments for the Rate Limiting rule (see the explanations below):

  • [flush true]

  • [source-negated {true | false}] source <Source>

  • [destination-negated {true | false}] destination <Destination>

  • [service-negated {true | false}] service <Protocol and Port numbers>

  • [<Limit1 Name> <Limit1 Value>] [<Limit2 Name> <Limit2 Value>] ...[<LimitN Name> <LimitN Value>]

  • [track <Track>]

Important:

  • The Quota rules are not applied immediately to the Security Gateway. They are only registered in the Suspicious Activity Monitoring (SAM) policy database. To apply all the rules from the SAM policy database immediately, add "flush true" in the fw samp add command syntax.

  • Explanation:

    For new connections rate (and for any rate limiting in general), when a rule's limit is violated, the Security Gateway also drops all packets that match the rule.

    The Security Gateway computes new connection rates on a per-second basis.

    At the start of the 1-second timer, the Security Gateway allows all packets, including packets for existing connections.

    If, at some point, during that 1 second period, there are too many new connections, then the Security Gateway blocks all remaining packets for the remainder of that 1-second interval.

    At the start of the next 1-second interval, the counters are reset, and the process starts over - the Security Gateway allows packets to pass again up to the point, where the rule’s limit is violated.

Explanation for the IP Filter Arguments syntax for Suspicious Activity Monitoring (SAM) rules

Argument

Description

-C

Specifies that open connections should be closed.

-s <Source IP>

Specifies the Source IP address.

-m <Source Mask>

Specifies the Source subnet mask (in dotted decimal format - x.y.z.w).

-d <Destination IP>

Specifies the Destination IP address.

-M <Destination Mask>

Specifies the Destination subnet mask (in dotted decimal format - x.y.z.w).

-p <Port>

Specifies the port number (see IANA Service Name and Port Number Registry).

-r <Protocol>

Specifies the protocol number (see IANA Protocol Numbers).

Explanation for the Quota Filter Arguments syntax for Rate Limiting rules

Argument

Description

flush true

Specifies to compile and load the quota rule to the SecureXLClosed Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. immediately.

[source-negated {true | false}] source <Source>

Specifies the source type and its value:

  • any

    The rule is applied to packets sent from all sources.

  • range:<IP Address>
    or
    range:<IP Address Start>-<IP Address End>

    The rule is applied to packets sent from:

    • Specified IPv4 addresses (x.y.z.w)

    • Specified IPv6 addresses (xxxx:yyyy:...:zzzz)

  • cidr:<IP Address>/<Prefix>

    The rule is applied to packets sent from:

    • IPv4 address with Prefix from 0 to 32

    • IPv6 address with Prefix from 0 to 128

  • cc:<Country Code>

    The rule matches the country code to the source IP addresses assigned to this country, based on the Geo IP database.

    The two-letter codes are defined in ISO 3166-1 alpha-2.

  • asn:<Autonomous System Number>

    The rule matches the AS number of the organization to the source IP addresses that are assigned to this organization, based on the Geo IP database.

    The valid syntax is ASnnnn, where nnnn is a number unique to the specific organization.

Notes:

  • Default is: source-negated false

  • The source-negated true processes all source types, except the specified type.

[destination-negated {true | false}] destination <Destination>

Specifies the destination type and its value:

  • any

    The rule is applied to packets sent to all destinations.

  • range:<IP Address>
    or
    range:<IP Address Start>-<IP Address End>

    The rule is applied to packets sent to:

    • Specified IPv4 addresses (x.y.z.w)

    • Specified IPv6 addresses (xxxx:yyyy:...:zzzz)

  • cidr:<IP Address>/<Prefix>

    The rule is applied to packets sent to:

    • IPv4 address with Prefix from 0 to 32

    • IPv6 address with Prefix from 0 to 128

  • cc:<Country Code>

    The rule matches the country code to the destination IP addresses assigned to this country, based on the Geo IP database.

    The two-letter codes are defined in ISO 3166-1 alpha-2.

  • asn:<Autonomous System Number>

    The rule matches the AS number of the organization to the destination IP addresses that are assigned to this organization, based on the Geo IP database.

    The valid syntax is ASnnnn, where nnnn is a number unique to the specific organization.

Notes:

  • Default is: destination-negated false

  • The destination-negated true will process all destination types except the specified type

[service-negated {true | false}] service <Protocol and Port numbers>

Specifies the Protocol number (see IANA Protocol Numbers) and Port number (see IANA Service Name and Port Number Registry):

  • <Protocol>

    IP protocol number in the range 1-255

  • <Protocol Start>-<Protocol End>

    Range of IP protocol numbers

  • <Protocol>/<Port>

    IP protocol number in the range 1-255 and TCP/UDP port number in the range 1-65535

  • <Protocol>/<Port Start>-<Port End>

    IP protocol number and range of TCP/UDP port numbers from 1 to 65535

Notes:

  • Default is: service-negated false

  • The service-negated true will process all traffic except the traffic with the specified protocols and ports

[<Limit 1 Name> <Limit 1 Value>] [<Limit 2 Name> <Limit 2 Value>] ... [<Limit N Name> <Limit N Value>]

Specifies quota limits and their values.

Note - Separate multiple quota limits with spaces.

  • concurrent-conns <Value>

    Specifies the maximal number of concurrent active connections that match this rule.

  • concurrent-conns-ratio <Value>

    Specifies the maximal ratio of the concurrent-conns value to the total number of active connections through the Security Gateway, expressed in parts per 65536 (formula: N / 65536).

  • pkt-rate <Value>

    Specifies the maximum number of packets per second that match this rule.

  • pkt-rate-ratio <Value>

    Specifies the maximal ratio of the pkt-rate value to the rate of all connections through the Security Gateway, expressed in parts per 65536 (formula: N / 65536).

  • byte-rate <Value>

    Specifies the maximal total number of bytes per second in packets that match this rule.

  • byte-rate-ratio <Value>

    Specifies the maximal ratio of the byte-rate value to the bytes per second rate of all connections through the Security Gateway, expressed in parts per 65536 (formula: N / 65536).

  • new-conn-rate <Value>

    Specifies the maximal number of connections per second that match the rule.

  • new-conn-rate-ratio <Value>

    Specifies the maximal ratio of the new-conn-rate value to the rate of all connections per second through the Security Gateway, expressed in parts per 65536 (formula: N / 65536).

[track <Track>]

Specifies the tracking option:

  • source

    Counts connections, packets, and bytes for specific source IP address, and not cumulatively for this rule.

  • source-service

    Counts connections, packets, and bytes for specific source IP address, and for specific IP protocol and destination port, and not cumulatively for this rule.

Examples