fw sam_policy batch

Description

The "fw sam_policy batch" and "fw6 sam_policy batch" commands:

  • Add and delete many Suspicious Activity Monitoring (SAM) rules at a time.

  • Add and delete many Rate Limiting rules at a time.

Notes:

  • These commands are interchangeable:

    • For IPv4: "fw sam_policy" and "fw samp".

    • For IPv6: "fw6 sam_policy" and "fw6 samp".

  • You can run these commands in Gaia Clish, or Expert mode.

  • Security Gateway stores the SAM Policy rules in the $FWDIR/database/sam_policy.db file.

  • Security Gateway stores the SAM Policy management settings in the $FWDIR/database/sam_policy.mng file.

Important:

  • Configuration you make with these commands, survives reboot.

  • VSX mode does not support Suspicious Activity Policy configured in SmartView Monitor. See sk79700.

  • In VSX mode, you must go to the context of an applicable Virtual System.

    • In Gaia Clish, run: set virtual-system <VSID>

    • In the Expert mode, run: vsenv <VSID>

  • In a Cluster, you must configure all the Cluster Members in the same way.

Best Practice - The SAM Policy rules consume some CPU resources on Security Gateway. Set an expiration for rules that gives you time to investigate, but does not affect performance. Keep only the required SAM Policy rules. If you confirm that an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

Procedure

    • For IPv4, run:

      fw sam_policy batch << EOF

    • For IPv6, run:

      fw6 sam_policy batch << EOF

    • Enter one "add" or "del" command on each line, on as many lines as necessary.

      Start each line with only "add" or "del" parameter (not with "fw samp").

    • Use the same set of parameters and values as described in these commands:

      • fw sam_policy add

      • fw sam_policy del

    • Terminate each line with a Return (ASCII 10 - Line Feed) character (press Enter).

  3. Type EOF and press Enter.

Example of a Rate Limiting rule for IPv4

[Expert@HostName]# fw samp batch <<EOF
 
add -a d -l r -t 3600 -c "Limit\ conn\ rate\ to\ 5\ conn/sec from\ these\ sources" quota service any source range:172.16.7.13-172.16.7.13 new-conn-rate 5
 
del <501f6ef0,00000000,cb38a8c0,0a0afffe>
 
add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80
 
EOF
[Expert@HostName]#