fw sam_policy del

Description

The "fw sam_policy del" and "fw6 sam_policy del" commands:

Delete one configured Suspicious Activity Monitoring (SAM) rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. at a time.
Delete one configured Rate Limiting rule at a time.

Notes:

These commands are interchangeable:
- For IPv4: "fw sam_policy" and "fw samp".
- For IPv6: "fw6 sam_policy" and "fw6 samp".
You can run these commands in Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)., or Expert mode.
Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. stores the SAM Policy rules in the $FWDIR/database/sam_policy.db file.
Security Gateway stores the SAM Policy management settings in the $FWDIR/database/sam_policy.mng file.

Important:

Configuration you make with these commands, survives reboot.
VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode does not support Suspicious Activity Policy configured in SmartView Monitor. See sk79700.
In VSX mode, you must go to the context of an applicable Virtual System.
- In Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Clish, run: set virtual-system <VSID>
- In the Expert mode, run: vsenv <VSID>
In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.

Best Practice - The SAM Policy rules consume some CPU resources on Security Gateway. Set an expiration for rules that gives you time to investigate, but does not affect performance. Keep only the required SAM Policy rules. If you confirm that an activity is risky, edit the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., educate users, or otherwise handle the risk.

Syntax for IPv4

fw [-d] sam_policy del '<Rule UID>'

Syntax for IPv6

fw6 [-d] sam_policy del '<Rule UID>'

Parameters

Parameter

Description

-d

Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or use the script command to save the entire CLI session.

'<Rule UID>'

Specifies the UID of the rule you wish to delete.

Important:

The quote marks and angle brackets ('<...>') are mandatory.
To see the Rule UID, run the fw sam_policy get command.

Procedure

List all the existing rules in the Suspicious Activity Monitoring policy database

List all the existing rules in the Suspicious Activity Monitoring policy database.

For IPv4, run:

fw sam_policy get

For IPv6, run:

fw6 sam_policy get

The rules show in this format:

operation=add uid=<Value1,Value2,Value3,Value4> target=... timeout=... action=... log= ... name= ... comment=... originator= ... src_ip_addr=... req_tpe=...

Example for IPv4:

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify log=log name=Test\ Rule comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\ Doe src_ip_addr=1.1.1.1 req_tpe=ip

Delete a rule from the list by its UID

For IPv4, run:

fw [-d] sam_policy del '<Rule UID>'

For IPv6, run:

fw6 [-d] sam_policy del '<Rule UID>'

Example for IPv4:

fw samp del '<5ac3965f,00000000,3403a8c0,0000264a>'

Add the flush-only rule

For IPv4, run:

fw samp add -t 2 quota flush true

For IPv6, run:

fw6 samp add -t 2 quota flush true

Explanation:

The "fw samp del" and "fw6 samp del" commands only remove a rule from the persistent database. The Security Gateway continues to enforce the deleted rule until the next time you compiled and load a policy. To force the rule deletion immediately, you must enter a flush-only rule right after the "fw samp del" and "fw6 samp del" command. This flush-only rule immediately deletes the rule you specified in the previous step, and times out in 2 seconds.

Best Practice - Specify a short timeout period for the flush-only rules. This prevents accumulation of rules that are obsolete in the database.