fw sam_policy get

Description

The "fw sam_policy get" and "fw6 sam_policy get" commands:

  • Show all the configured Suspicious Activity Monitoring (SAM) rules.

  • Show all the configured Rate Limiting rules.

Notes:

  • These commands are interchangeable:

    • For IPv4: "fw sam_policy" and "fw samp".

    • For IPv6: "fw6 sam_policy" and "fw6 samp".

  • You can run these commands in Gaia Clish, or Expert mode.

  • Security Gateway stores the SAM Policy rules in the $FWDIR/database/sam_policy.db file.

  • Security Gateway stores the SAM Policy management settings in the $FWDIR/database/sam_policy.mng file.

Important:

  • Configuration you make with these commands, survives reboot.

  • VSX mode does not support Suspicious Activity Policy configured in SmartView Monitor. See sk79700.

  • In VSX mode, you must go to the context of an applicable Virtual System.

    • In Gaia Clish, run: set virtual-system <VSID>

    • In the Expert mode, run: vsenv <VSID>

  • In a Cluster, you must configure all the Cluster Members in the same way.

Best Practice - The SAM Policy rules consume some CPU resources on Security Gateway. Set an expiration for rules that gives you time to investigate, but does not affect performance. Keep only the required SAM Policy rules. If you confirm that an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

Syntax for IPv4

fw [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t <Type> [+{-v '<Value>'}] [-n]]

Syntax for IPv6

fw6 [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t <Type> [+{-v '<Value>'}] [-n]]

Parameters

Note - All these parameters are optional.

Parameter

Description

-d

Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or use the script command to save the entire CLI session.

-l

Controls how to print the rules:

  • In the default format (without "-l"), the output shows each rule on a separate line.

  • In the list format (with "-l"), the output shows each parameter of a rule on a separate line.

  • See the "fw sam_policy add" command.

-u '<Rule UID>'

Prints the rule specified by its Rule UID or its zero-based rule index.

The quote marks and angle brackets ('<...>') are mandatory.

-k '<Key>'

Prints the rules with the specified predicate key.

The quote marks are mandatory.

-t <Type>

Prints the rules with the specified predicate type.

For Rate Limiting rules, you must always use "-t in".

+{-v '<Value>'}

Prints the rules with the specified predicate values.

The quote marks are mandatory.

-n

Negates the condition specified by these predicate parameters:

  • -k

  • -t

  • +-v

Examples

[Expert@HostName:0]# fw samp get
 
operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify log=log name=Test\ Rule comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\ Doe src_ip_addr=1.1.1.1 req_tpe=ip
 
[Expert@HostName:0]# fw samp get -l
 
uid
<5ac3965f,00000000,3403a8c0,0000264a>
target
all
timeout
2147483647
action
notify
log
log
name
Test\ Rule
comment
Notify\ about\ traffic\ from\ 1.1.1.1
originator
John\ Doe
src_ip_addr
1.1.1.1
req_type
ip
 
[Expert@HostName:0]# fw samp get -u '<5ac3965f,00000000,3403a8c0,0000264a>'
0
operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify log=log name=Test\ Rule comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\ Doe src_ip_addr=1.1.1.1 req_tpe=ip
 
[Expert@HostName:0]# fw samp get
no corresponding SAM policy requests
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a d -l r -t 3600 quota service any source range:172.16.7.11-172.16.7.13 new-conn-rate 5 flush true
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true source cc:QQ byte-rate 0
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a d quota service any source-negated true source cc:QQ concurrent-conns-ratio 655 track source
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get
operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3586 action=drop log=log service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'service' -t in -v '6/80'
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'service-negated' -t in -v 'true'
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'source' -t in -v 'cc:QQ'
operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k source -t in -v 'cc:QQ' -n
operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3291 action=drop log=log service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'source-negated' -t in -v 'true'
operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'byte-rate' -t in -v '0'
operation=add uid=<5baa9431,00000000,860318ac,00002efd> target=all timeout=indefinite action=notify log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'flush' -t in -v 'true'
operation=add uid=<5baa9422,00000000,860318ac,00002eea> target=all timeout=2841 action=drop log=log service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'concurrent-conns-ratio' -t in -v '655'
operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
[Expert@HostName:0]#