fw sam

Description

Manages the Suspicious Activity Monitoring (SAM) rules. You can use the SAM rules to block connections to and from IP addresses without the need to change or reinstall the Security Policy. For more information, see sk112061.

You can create the Suspicious Activity Rules in two ways:

  • In SmartConsole from Monitoring Results

  • In CLI with the fw sam command

Notes:

  • VSX Gateways and VSX Cluster Members do not support Suspicious Activity Monitoring (SAM) Rules. See sk79700.

  • See the "fw sam_policy" and "sam_alert" commands.

  • SAM rules consume some CPU resources on Security Gateway.

    Best Practice - The SAM Policy rules consume some CPU resources on Security Gateway. Set an expiration for rules that gives you time to investigate, but does not affect performance. Keep only the required SAM Policy rules. If you confirm that an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

  • Logs for enforced SAM rules (configured with the fw sam command) are stored in the $FWDIR/log/sam.dat file.

    By design, the file is purged when the number of stored entries reaches 100,000.

    This data log file contains the records in one of these formats:

    <type>,<actions>,<expire>,<ipaddr>
    <type>,<actions>,<expire>,<src>,<dst>,<dport>,<ip_p>

  • SAM Requests are stored on the Security Gateway in the kernel table sam_requests.

  • IP Addresses that are blocked by SAM rules, are stored on the Security Gateway in the kernel table sam_blocked_ips.

Note - To configure SAM Server settings for a Security Gateway or Cluster:

  1. Connect with SmartConsole to the applicable Security Management Server or Domain Management Server.

  2. From the left navigation panel, click Gateways & Servers.

  3. Open the Security Gateway or Cluster object.

  4. From the left tree, click Other > SAM.

  5. Configure the settings.

  6. Click OK.

  7. Install the Access Control Policy on this Security Gateway or Cluster object.

Syntax

  • To add or cancel a SAM rule according to criteria:

    fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>] [-f <Security Gateway>] [-t <Timeout>] [-l <Log Type>] [-C] [-e <key=val>]+ [-r] -{n|i|I|j|J} <Criteria>

  • To delete all SAM rules:

    fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>] [-f <Security Gateway>] -D

  • To monitor all SAM rules:

    fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>] [-f <Security Gateway>] [-r] -M -{i|j|n|b|q} all

  • To monitor SAM rules according to criteria:

    fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>] [-f <Security Gateway>] [-r] -M -{i|j|n|b|q} <Criteria>

Parameters

Parameter

Description

-d

Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or use the script command to save the entire CLI session.

-v

Enables verbose mode.

In this mode, the command writes one message to stderr for each Security Gateway, on which the command is enforced. These messages show whether the command was successful or not.

-s <SAM Server>

Specifies the IP address (in the X.X.X.X format) or resolvable HostName of the Security Gateway that enforces the command.

The default is localhost.

-S <SIC Name of SAM Server>

Specifies the SIC name for the SAM server to be contacted. It is expected that the SAM server has this SIC name, otherwise the connection fails.

Notes:

  • If you do not explicitly specify the SIC name, the connection continues without SIC names comparison.

  • For more information about enabling SIC, refer to the OPSEC API Specification.

  • On VSX Gateway, run the fw vsx showncs -vs <VSID> command to show the SIC name for the applicable Virtual System.

-f <Security Gateway>

Specifies the Security Gateway, on which to enforce the action.

<Security Gateway> can be one of these:

  • All - Default. Specifies to enforce the action on all managed Security Gateways, where SAM Server runs.

    You can use this syntax only on Security Management Server or Domain Management Server.

  • localhost - Specifies to enforce the action on this local Check Point computer (on which the fw sam command is executed).

    You can use this syntax only on Security Gateway or StandAlone.

  • Gateways - Specifies to enforce the action on all objects defined as Security Gateways, on which SAM Server runs.

    You can use this syntax only on Security Management Server or Domain Management Server.

  • Name of Security Gateway object - Specifies to enforce the action on this specific Security Gateway object.

    You can use this syntax only on Security Management Server or Domain Management Server.

  • Name of Group object - Specifies to enforce the action on all specific Security Gateways in this Group object.

Notes:

  • You can use this syntax only on Security Management Server or Domain Management Server.

  • VSX Gateways and VSX Cluster Members do not support Suspicious Activity Monitoring (SAM) Rules. See sk79700.

-D

Cancels all inhibit ("-i", "-j", "-I", "-J") and notify ("-n") parameters.

Notes:

  • To "uninhibit" the inhibited connections, run the fw sam command with the "-C" or "-D" parameters.

  • It is also possible to use this command for active SAM requests.

-C

Cancels the fw sam command to inhibit connections with the specified parameters.

Notes:

  • These connections are no longer inhibited (no longer rejected or dropped).

  • The command parameters must match the parameters in the original fw sam command, except for the -t <Timeout> parameter.

-t <Timeout>

Specifies the time period (in seconds), during which the action is enforced.

The default is forever, or until you cancel the fw sam command.

-l <Log Type>

Specifies the type of the log for enforced action:

  • nolog - Does not generate Log / Alert at all

  • short_noalert - Generates a Log

  • short_alert - Generates an Alert

  • long_noalert - Generates a Log

  • long_alert - Generates an Alert (this is the default)

-e <key=val>+

Specifies rule information based on the keys and the provided values.

Multiple keys are separated by the plus sign (+).

Available keys are (each is limited to 100 characters):

  • name - Security rule name

  • comment - Security rule comment

  • originator - Security rule originator's username

-r

Specifies not to resolve IP addresses.

-n

Specifies to generate a "Notify" long-format log entry.

Notes:

  • This parameter generates an alert when connections that match the specified services or IP addresses pass through the Security Gateway.

  • This action does not inhibit / close connections.

-i

Inhibits (drops or rejects) new connections with the specified parameters.

Notes:

  • Each inhibited connection is logged according to the log type.

  • Matching connections are rejected.

-I

Inhibits (drops or rejects) new connections with the specified parameters, and closes all existing connections with the specified parameters.

Notes:

  • Matching connections are rejected.

  • Each inhibited connection is logged according to the log type.

-j

Inhibits (drops or rejects) new connections with the specified parameters.

Notes:

  • Matching connections are dropped.

  • Each inhibited connection is logged according to the log type.

-J

Inhibits new connections with the specified parameters, and closes all existing connections with the specified parameters.

Notes:

  • Matching connections are dropped.

  • Each inhibited connection is logged according to the log type.

-b

Bypasses new connections with the specified parameters.

-q

Quarantines new connections with the specified parameters.

-M

Monitors the active SAM requests with the specified actions and criteria.

all

Gets all active SAM requests. This is used for monitoring purposes only.

<Criteria>

Criteria are used to match connections.

The criteria and are composed of various combinations of the following parameters:

 

Possible combinations are (see the explanations below this table):

  • src <IP>

  • dst <IP>

  • any <IP>

  • subsrc <IP> <Netmask>

  • subdst <IP> <Netmask>

  • subany <IP> <Netmask>

  • srv <Src IP> <Dest IP> <Port> <Protocol>

  • subsrv <Src IP> <Src Netmask> <Dest IP> <Dest Netmask> <Port> <Protocol>

  • subsrvs <Src IP> <Src Netmask> <Dest IP> <Port> <Protocol>

  • subsrvd <Src IP> <Dest IP> <Dest Netmask> <Port> <Protocol>

  • dstsrv <Dest IP> <Port> <Protocol>

  • subdstsrv <Dest IP> <Dest Netmask> <Port> <Protocol>

  • srcpr <IP> <Protocol>

  • dstpr <IP> <Protocol>

  • subsrcpr <IP> <Netmask> <Protocol>

  • subdstpr <IP> <Netmask> <Protocol>

  • generic <key=val>

Explanation for the <Criteria> syntax

Parameter

Description

src <IP>

Matches the Source IP address of the connection.

dst <IP>

Matches the Destination IP address of the connection.

any <IP>

Matches either the Source IP address or the Destination IP address of the connection.

subsrc <IP> <Netmask>

Matches the Source IP address of the connections according to the netmask.

subdst <IP> <Netmask>

Matches the Destination IP address of the connections according to the netmask.

subany <IP> <Netmask>

Matches either the Source IP address or Destination IP address of connections according to the netmask.

srv <Src IP> <Dest IP> <Port> <Protocol>

Matches the specific Source IP address, Destination IP address, Service (port number) and Protocol.

subsrv <Src IP> <Netmask> <Dest IP> <Netmask> <Port> <Protocol>

Matches the specific Source IP address, Destination IP address, Service (port number) and Protocol.

Source and Destination IP addresses are assigned according to the netmask.

subsrvs <Src IP> <Src Netmask> <Dest IP> <Port> <Protocol>

Matches the specific Source IP address, source netmask, destination netmask, Service (port number) and Protocol.

subsrvd <Src IP> <Dest IP> <Dest Netmask> <Port> <Protocol>

Matches specific Source IP address, Destination IP, destination netmask, Service (port number) and Protocol.

dstsrv <Dest IP> <Service> <Protocol>

Matches specific Destination IP address, Service (port number) and Protocol.

subdstsrv <Dest IP> <Netmask> <Port> <Protocol>

Matches specific Destination IP address, Service (port number) and Protocol.

Destination IP address is assigned according to the netmask.

srcpr <IP> <Protocol>

Matches the Source IP address and protocol.

dstpr <IP> <Protocol>

Matches the Destination IP address and protocol.

subsrcpr <IP> <Netmask> <Protocol>

Matches the Source IP address and protocol of connections.

Source IP address is assigned according to the netmask.

subdstpr <IP> <Netmask> <Protocol>

Matches the Destination IP address and protocol of connections.

Destination IP address is assigned according to the netmask.

generic <key=val>+

Matches the GTP connections based on the specified keys and provided values.

Multiple keys are separated by the plus sign (+).

Available keys are:

  • service=gtp

  • imsi

  • msisdn

  • apn

  • tunl_dst

  • tunl_dport

  • tunl_proto