fwaccel dos pbox

Description

The fwaccel dos pbox command controls the Penalty Box allow-list in SecureXL.

The SecureXL Penalty Box is a mechanism that performs an early drop of packets that arrive from suspected sources. The purpose of this feature is to allow the Security Gateway to cope better under high traffic load, possibly caused by a DoS/DDoS attack.

The SecureXL Penalty Box detects clients that send packets, which the Access Control Policy drops, and clients that violate the IPS protections. If the SecureXL Penalty Box detects a specific client frequently, it puts that client in a penalty box. From that point, SecureXL drops all packets that arrive from the blocked source IP address.

The Penalty Box allow-list in SecureXL configures the source IP addresses, which the SecureXL Penalty Box never blocks.

Important:

  • This command supports only IPv4.

  • In VSX mode, you must go to the context of an applicable Virtual System.In Gaia Clish, run: set virtual-system <VSID>In the Expert mode, run: vsenv <VSID>

  • In a Cluster, you must configure all the Cluster Members in the same way.

  • To enforce the Penalty Box in SecureXL, you must first enable the Penalty Box.

    See these commands:

Syntax for IPv4

fwaccel dos pbox

      allow

            -a <IPv4 Address>[/<Subnet Prefix>]

            -d <IPv4 Address>[/<Subnet Prefix>]

            -F

            -l /<Path>/<Name of File>

            -L

            -s

      flush

Parameters

Parameter

Description

No Parameters

Shows the applicable built-in usage.

allow <options>

Configures the allow-list for source IP addresses in the SecureXL Penalty Box.

Important - This allow-list overrides which packet the SecureXL Penalty Box drops. Before you use a 3rd-party or automatic blacklists, add trusted networks and hosts to the allow-list to avoid outages.

Note - This command is similar to the fwaccel dos allow command.

allow -a <IPv4 Address>[/<Subnet Prefix>]

Adds the specified IP address to the Penalty Box allow-list.

  • <IPv4 Address>

    Can be an IP address of a network or a host.

  • <Subnet Prefix>

    Must specify the length of the subnet mask in the format /<bits>.

    Optional for a host IP address.

    Mandatory for a network IP address.

    Range - from /1 to /32.

    Important - If you do not specify the subnet prefix explicitly, this command uses the subnet prefix /32.

Examples:

  • For a host:

    192.168.20.30

    192.168.20.30/32

  • For a network:

    192.168.20.0/24

allow -d <IPv4 Address>[/<Subnet Prefix>]

Removes the specified IP address from the Penalty Box allow-list.

  • <IPv4 Address>

    Can be an IP address of a network or a host.

  • <Subnet Prefix>

    Optional. Must specify the length of the subnet mask in the format /<bits>.

    Optional for a host IP address.

    Mandatory for a network IP address.

    Range - from /1 to /32.

    Important - If you do not specify the subnet prefix explicitly, this command uses the subnet prefix /32.

allow -F

Removes (flushes) all entries from the Penalty Box allow-list.

allow -l /<Path>/<Name of File>

Loads the Penalty Box allow-list entries from the specified plain-text file.

Important:

  • You must manually create and configure this file with the touch or vi command.

  • You must assign at least the read permission to this file with the chmod +x command.

  • Each entry in this file must be on a separate line.

  • Each entry in this file must be in this format:

    <IPv4 Address>[/<Subnet Prefix>]

  • SecureXL ignores empty lines and lines that start with the # character in this file.

allow -L

Loads the Penalty Box allow-list entries from the plain-text file with a predefined name:

$FWDIR/conf/pbox-allow-list-v4.conf

Security Gateway automatically runs this command "fwaccel dos pbox allow -L" during each boot.

Important:

  • This file does not exist by default.

  • You must manually create and configure this file with the touch or vi command.

  • You must assign at least the read permission to this file with the chmod +x command.

  • Each entry in this file must be on a separate line.

  • Each entry in this file must be in this format:

    <IPv4 Address>[/<Subnet Prefix>]

  • SecureXL ignores empty lines and lines that start with the # character in this file.

allow -s

Shows the current Penalty Box allow-list entries.

flush

Removes (flushes) all source IP addresses from the Penalty Box.

Example 1 - Adding a host IP address without optional subnet prefix

[Expert@MyGW:0]# fwaccel dos pbox allow -a 192.168.20.40
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -s
192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -F
[Expert@MyGW:0]# fwaccel dos pbox allow -s
[Expert@MyGW:0]#

Example 2 - Adding a host IP address with optional subnet prefix

[Expert@MyGW:0]# fwaccel dos pbox allow -a 192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -s
192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -F
[Expert@MyGW:0]# fwaccel dos pbox allow -s
[Expert@MyGW:0]#

Example 3 - Adding a network IP address with mandatory subnet prefix

[Expert@MyGW:0]# fwaccel dos pbox allow -a 192.168.20.0/24
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -s
192.168.20.0/24
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -F
[Expert@MyGW:0]# fwaccel dos pbox allow -s
[Expert@MyGW:0]#

Example 4 - Deleting an entry

[Expert@MyGW:0]# fwaccel dos pbox allow -a 192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -a 192.168.20.70/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -s
192.168.20.40/32
192.168.20.70/32
[Expert@MyGW:0]# fwaccel dos pbox allow -d 192.168.20.70/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -s
192.168.20.40/32
[Expert@MyGW:0]#