fw sam_policy add
Description
The "fw sam_policy add" and "fw6 sam_policy add" commands:
-
Add one Suspicious Activity Monitoring (SAM) rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. at a time.
-
Add one Rate Limiting rule at a time.
|
Notes:
|
|
Important:
|
|
Best Practice - The SAM Policy rules consume some CPU resources on Security Gateway. Set an expiration for rules that gives you time to investigate, but does not affect performance. Keep only the required SAM Policy rules. If you confirm that an activity is risky, edit the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., educate users, or otherwise handle the risk. |
Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv4
|
Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv6
|
Syntax to configure a Rate Limiting rule for IPv4
|
Syntax to configure a Rate Limiting rule for IPv6
|
Parameters
Parameter |
Description |
||
---|---|---|---|
|
Runs the command in debug mode. Use only if you troubleshoot the command itself.
|
||
|
Optional. Specifies that the rule category is Default rule category is |
||
|
Mandatory. Specifies the rule action if the traffic matches the rule conditions:
|
||
|
Optional. Specifies which type of log to generate for this rule for all traffic that matches:
|
||
|
Optional. Specifies the time period (in seconds), during which the rule will be enforced. Default timeout is indefinite. |
||
|
Optional. Specifies the target Security Gateways, on which to enforce the Rate Limiting rule.
|
||
|
Optional. Specifies the name (label) for this rule. Notes:
|
||
|
Optional. Specifies the comment for this rule. Notes:
|
||
|
Optional. Specifies the name of the originator for this rule. Notes:
|
||
|
Optional. Specifies the name of the Security Zone for this rule. Notes:
|
||
|
Mandatory (use this Configures the Suspicious Activity Monitoring (SAM) rule. Specifies the IP Filter Arguments for the SAM rule (you must use at least one of these options):
See the explanations below. |
||
|
Mandatory (use this Configures the Rate Limiting rule. Specifies the Quota Filter Arguments for the Rate Limiting rule (see the explanations below):
|
Explanation for the IP Filter Arguments syntax for Suspicious Activity Monitoring (SAM) rules
Argument |
Description |
---|---|
|
Specifies that open connections should be closed. |
|
Specifies the Source IP address. |
|
Specifies the Source subnet mask (in dotted decimal format - x.y.z.w). |
|
Specifies the Destination IP address. |
|
Specifies the Destination subnet mask (in dotted decimal format - x.y.z.w). |
|
Specifies the port number (see IANA Service Name and Port Number Registry). |
|
Specifies the protocol number (see IANA Protocol Numbers). |
Explanation for the Quota Filter Arguments syntax for Rate Limiting rules
Argument |
Description |
---|---|
|
Specifies to compile and load the quota rule to the SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. immediately. |
|
Specifies the source type and its value:
Notes:
|
|
Specifies the destination type and its value:
Notes:
|
|
Specifies the Protocol number (see IANA Protocol Numbers) and Port number (see IANA Service Name and Port Number Registry):
Notes:
|
|
Specifies quota limits and their values. Note - Separate multiple quota limits with spaces.
|
|
Specifies the tracking option:
|
Examples
|
Explanations:
-
This rule drops packets for all connections (
-a d
) that exceed the quota set by this rule, including packets for existing connections. -
This rule logs packets (
-l r
) that exceed the quota set by this rule. -
This rule will expire in 3600 seconds (
-t 3600
). -
This rule limits the rate of creation of new connections to 5 connections per second (
new-conn-rate 5
) for any traffic (service any
) from the source IP addresses in the range 172.16.7.11 - 172.16.7.13 (source range:172.16.7.11-172.16.7.13
).Note - The limit of the total number of log entries per second is configured with the fwaccel dos config set -n <rate> command.
-
This rule will be compiled and loaded on the SecureXL, together with other rules in the Suspicious Activity Monitoring (SAM) policy database immediately, because this rule includes the "
flush true
" parameter.
|
Explanations:
-
This rule logs and lets through all packets (
-a n
) that exceed the quota set by this rule. -
This rule does not expire (the
timeout
parameter is not specified). To cancel it, you must delete it explicitly. -
This rule applies to all packets except (
service-negated true
) the packets with IP protocol number 1, 50-51, 6 port 443 and 17 port 53 (service 1,50-51,6/443,17/53
). -
This rule applies to all packets from source IP addresses that are assigned to the country with specified country code (
cc:QQ
). -
This rule does not let any traffic through (
byte-rate 0
) except the packets with IP protocol number 1, 50-51, 6 port 443 and 17 port 53. -
This rule will not be compiled and installed on the SecureXL immediately, because it does not include the "
flush true
" parameter.
|
Explanations:
-
This rule drops (
-a d
) all packets that match this rule. -
This rule does not expire (the
timeout
parameter is not specified). To cancel it, you must delete it explicitly. -
This rule applies to packets from the Autonomous System number 64500 (
asn:AS64500
). -
This rule applies to packets from source IPv6 addresses FFFF:C0A8:1100/120 (
cidr:[::FFFF:C0A8:1100]/120
). -
This rule applies to all traffic (
service any
). -
This rule does not let any traffic through (
pkt-rate 0
). -
This rule will not be compiled and installed on the SecureXL immediately, because it does not include the "
flush true
" parameter.
|
Explanations:
-
This rule bypasses (
-a b
) all packets that match this rule.Note - The Access Control Policy and other types of security policy rules still apply.
-
This rule does not expire (the
timeout
parameter is not specified). To cancel it, you must delete it explicitly. -
This rule applies to packets from the source IP addresses in the range 172.16.8.17 - 172.16.9.121 (
range:172.16.8.17-172.16.9.121
). -
This rule applies to packets sent to TCP port 80 (
service 6/80
). -
This rule will not be compiled and installed on the SecureXL immediately, because it does not include the "
flush true
" parameter.
|
Explanations:
-
This rule drops (
-a d
) all packets that match this rule. -
This rule does not log any packets (the
-l r
parameter is not specified). -
This rule does not expire (the
timeout
parameter is not specified). To cancel it, you must delete it explicitly. -
This rule applies to all traffic (
service any
). -
This rule applies to all sources except (
source-negated true
) the source IP addresses that are assigned to the country with specified country code (cc:QQ
). -
This rule limits the maximal number of concurrent active connections to 655/65536=~1% (
concurrent-conns-ratio 655
) for any traffic (service any
) except (service-negated true
) the connections from the source IP addresses that are assigned to the country with specified country code (cc:QQ
). -
This rule counts connections, packets, and bytes for traffic only from sources that match this rule, and not cumulatively for this rule.
-
This rule will not be compiled and installed on the SecureXL immediately, because it does not include the "
flush true
" parameter.