fwaccel dos deny

Description

The fwaccel dos deny and fwaccel6 dos deny commands control the IP deny-list in SecureXL.

The deny-list blocks all traffic to and from the specified IP addresses.

The deny-list drops occur in SecureXL, which is more efficient than an Access Control Policy to drop the packets.

Important:

  • In VSX mode, you must go to the context of an applicable Virtual System.In Gaia Clish, run: set virtual-system <VSID>In the Expert mode, run: vsenv <VSID>

  • In a Cluster, you must configure all the Cluster Members in the same way.

  • To enforce the IP deny-list in SecureXL, you must first enable the IP deny-lists.

    See these commands:

Syntax for IPv4

fwaccel dos deny

      -a <IPv4 Address>

      -d <IPv4 Address>

      -F

      -M {on | off}

      -m

      -N "<Name of IP Deny-list>"

      -n

      -s

Syntax for IPv6

fwaccel6 dos deny

      -a <IPv6 Address>

      -d <IPv6 Address>

      -F

      -M {on | off}

      -m

      -N "<Name of IP Deny-list>"

      -n

      -s

Parameters

Parameter

Description

No Parameters

Shows the applicable built-in usage.

-a <IP Address>

Adds the specified IP address to the deny-list.

To add more than one IP address, run this command for each applicable IP address.

-d <IP Address>

Removes the specified IP addresses from the deny-list.

To remove more than one IP address, run this command for each applicable IP address.

-F

Removes (flushes) all IP addresses from the IP deny-list.

-M {on | off}

Enables (on) or disables (off) the monitor-only mode for the IP deny-list.

By default, the monitor-only mode is disabled.

In the monitor-only mode you can test the IP deny-list without blocking the traffic.

This command affects only the IP deny-list (does not affect the fw samp rules, etc.).

-m

Shows the current status of the monitor-only mode for the IP deny-list (enabled or disabled).

-N "<Name of IP Deny-list>"

Configures the name for the IP deny-list.

This name appears in the Security Gateway logs.

Notes:

  • Maximal length is 79 characters.

  • You must only use ASCII characters.

-n

Shows the configured name for the IP deny-list.

-s

Shows the configured deny-list.

Example from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos deny -s
The deny list is empty
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -a 1.1.1.1
Adding 1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
1.1.1.1
[Expert@MyGW:0]# fwaccel dos deny -a 2.2.2.2
Adding 2.2.2.2
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
2.2.2.2
1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -d 2.2.2.2
Deleting 2.2.2.2
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -F
All deny list entries deleted
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
The deny list is empty
[Expert@MyGW:0]#