fwaccel dos allow

Description

The fwaccel dos allow command configures the allow-list for source IP addresses in the SecureXL Penalty Box.

This allow-list overrides which packet the SecureXL Penalty Box drops.

Important:

This command supports only IPv4.
In VSX mode, you must go to the context of an applicable Virtual System.In Gaia Clish, run: set virtual-system <VSID>In the Expert mode, run: vsenv <VSID>
In a Cluster, you must configure all the Cluster Members in the same way.
This allow-list overrides entries in the blacklist.

Before you use a 3rd-party or automatic blacklists, add trusted networks and hosts to the allow-list to avoid outages.
This allow-list unblocks IP Options and IP fragments from trusted sources when you explicitly configure one these SecureXL features:
- --enable-drop-opts
- --enable-drop-frags
See the fwaccel dos config command.

Notes:

To allow-list the Rate Limiting policy, refer to the bypass action of the fw samp command.

For example, fw samp -a b ...

For more information about the fw sam_policy command, see the R81 Performance Tuning Administration Guide - Chapter SecureXL Commands and Debug - Section fw sam_policy.
This command is similar to the "fwaccel dos pbox allow" command (see fwaccel dos pbox).
Also, see the fwaccel synatk allow command.

Syntax for IPv4

fwaccel dos allow

-a <IPv4 Address>[/<Subnet Prefix>]

-d <IPv4 Address>[/<Subnet Prefix>]

-F

-l /<Path>/<Name of File>

-L

-s

Parameters

Parameter	Description
No Parameters	Shows the applicable built-in usage.
`-a <IPv4 Address>[/<Subnet Prefix>]`	Adds the specified IP address to the Penalty Box allow-list. `<IPv4 Address>` Can be an IPv4 address of a network or a host. `<Subnet Prefix>` Must specify the length of the subnet mask in the format `/<bits>`. Optional for a host IPv4 address. Mandatory for a network IPv4 address. Range - from /1 to /32. Important - If you do not specify the subnet prefix explicitly, this command uses the subnet prefix /32. Examples: For a host: `192.168.20.30` `192.168.20.30/32` For a network: `192.168.20.0/24`
`-d <IPv4 Address>[/<Subnet Prefix>]`	Removes the specified IPv4 address from the Penalty Box allow-list. `<IPv4 Address>` Can be an IPv4 address of a network or a host. `<Subnet Prefix>` Optional. Must specify the length of the subnet mask in the format `/<bits>`. Optional for a host IPv4 address. Mandatory for a network IPv4 address. Range - from /1 to /32. Important - If you do not specify the subnet prefix explicitly, this command uses the subnet prefix /32.
`-F`	Removes (flushes) all entries from the Penalty Box allow-list.
`-l /<Path>/<Name of File>`	Loads the Penalty Box allow-list entries from the specified plain-text file. Note - To replace the current allow-list with the contents of a new file, use both the "`-F`" and "`-l`" parameters on the same command line. Important: You must manually create and configure this file with the `touch` or `vi` command. You must assign at least the read permission to this file with the `chmod +x` command. Each entry in this file must be on a separate line. Each entry in this file must be in this format: `<IPv4 Address>[/<Subnet Prefix>]` SecureXL ignores empty lines and lines that start with the # character in this file.
`-L`	Loads the Penalty Box allow-list entries from the plain-text file with a predefined name: `$FWDIR/conf/pbox-allow-list-v4.conf` Security Gateway automatically runs this command "`fwaccel dos pbox allow -L`" during each boot. Note - To replace the current allow-list with the contents of a new file, use both the "`-F`" and "`-L`" parameters on the same command line. Important: This file does not exist by default. You must manually create and configure this file with the `touch` or `vi` command. You must assign at least the read permission to this file with the `chmod +x` command. Each entry in this file must be on a separate line. Each entry in this file must be in this format: `<IPv4 Address>[/<Subnet Prefix>]` SecureXL ignores empty lines and lines that start with the # character in this file.
`-s`	Shows the current Penalty Box allow-list entries.

Example 1 - Adding a host IP address without optional subnet prefix

[Expert@MyGW:0]# fwaccel dos allow -a 192.168.20.40
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -s
192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -F
[Expert@MyGW:0]# fwaccel dos allow -s
[Expert@MyGW:0]#

Example 2 - Adding a host IP address with optional subnet prefix

[Expert@MyGW:0]# fwaccel dos allow -a 192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -s
192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -F
[Expert@MyGW:0]# fwaccel dos allow -s
[Expert@MyGW:0]#

Example 3 - Adding a network IP address with mandatory subnet prefix

[Expert@MyGW:0]# fwaccel dos allow -a 192.168.20.0/24
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -s
192.168.20.0/24
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -F
[Expert@MyGW:0]# fwaccel dos allow -s
[Expert@MyGW:0]#

Example 4 - Deleting an entry

[Expert@MyGW:0]# fwaccel dos allow -a 192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -a 192.168.20.70/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -s
192.168.20.40/32
192.168.20.70/32
[Expert@MyGW:0]# fwaccel dos allow -d 192.168.20.70/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -s
192.168.20.40/32
[Expert@MyGW:0]#