sam_alert

Description

For SAM v1, this utility executes Suspicious Activity Monitoring (SAM) actions according to the information received from the standard input.

For SAM v2, this utility executes Suspicious Activity Monitoring (SAM) actions with User Defined Alerts mechanism.

Important:

  • You must run this command on the Management Server.

  • You can run this command only in the Expert mode.

  • On a Multi-Domain Server, you must run this command in the context of the applicable Domain Management Server:

    mdsenv <IP Address or Name of Domain Management Server>

Notes:

  • VSX Gateways and VSX Cluster Members do not support Suspicious Activity Monitoring (SAM) Rules. See sk79700.

  • See the fw sam and fw sam_policy commands.

Syntax for SAM v1

sam_alert [-v] [-o] [-s <SAM Server>] [-t <Time>] [-f <Security Gateway>] [-C] {-n|-i|-I} {-src|-dst|-any|-srv}

Parameters for SAM v1

Parameter

Description

-v

Enables the verbose mode for the "fw sam" command.

-o

Specifies to print the input of this tool to the standard output (to use with pipes in a CLI syntax).

-s <SAM Server>

Specifies the SAM Server to be contacted. Default is "localhost".

-t <Time>

Specifies the time (in seconds), during which to enforce the action. The default is forever.

-f <Security Gateway>

Specifies the Security Gateway / Cluster object, on which to run the operation.

Important - If you do not specify the target Security Gateway / Cluster object explicitly, this command applies to all managed Security Gateways and Clusters.

-C

Cancels the specified operation.

-n

Specifies to notify every time a connection, which matches the specified criteria, passes through the Security Gateway.

-i

Inhibits (drops or rejects) connections that match the specified criteria.

-I

Inhibits (drops or rejects) connections that match the specified criteria and closes all existing connections that match the specified criteria.

-src

Matches the source address of connections.

-dst

Matches the destination address of connections.

-any

Matches either the source or destination address of connections.

-srv

Matches specific source, destination, protocol and port.

Syntax for SAM v2

sam_alert -v2 [-v] [-O] [-S <SAM Server>] [-t <Time>] [-f <Security Gateway>] [-n <Name>] [-c "<Comment">] [-o <Originator>] [-l {r | a}] -a {d | r| n | b | q | i} [-C] {-ip |-eth} {-src|-dst|-any|-srv}

Parameters for SAM v2

Parameter

Description

-v2

Specifies to use SAM v2.

-v

Enables the verbose mode for the fw sam command.

-O

Specifies to print the input of this tool to the standard output (to use with pipes in a CLI syntax).

-S <SAM Server>

the SAM server to be contacted. Default is localhost

-t <Time>

Specifies the time (in seconds), during which to enforce the action. The default is forever.

-f <Security Gateway>

Specifies the Security Gateway / Cluster object, on which to run the operation.

Important - If you do not specify the target Security Gateway / Cluster object explicitly, this command applies to all managed Security Gateways and Clusters.

-n <Name>

Specifies the name for the SAM rule.

Default is empty.

-c "<Comment>"

Specifies the comment for the SAM rule.

Default is empty.

You must enclose the text in the double quotes or single quotes.

-o <Originator>

Specifies the originator for the SAM rule.

Default is "sam_alert".

-l {r | a}

Specifies the log type for connections that match the specified criteria:

  • r - Regular

  • a - Alert

Default is None.

-a {d | r| n | b | q | i}

Specifies the action to apply on connections that match the specified criteria:

  • d - Drop

  • r - Reject

  • n - Notify

  • b - Bypass

  • q - Quarantine

  • i - Inspect

-C

Specifies to close all existing connections that match the criteria.

-ip

Specifies to use IP addresses as criteria parameters.

-eth

Specifies to use MAC addresses as criteria parameters.

-src

Matches the source address of connections.

-dst

Matches the destination address of connections.

-any

Matches either the source or destination address of connections.

-srv

Matches specific source, destination, protocol and port.

Example

See sk110873: How to configure Security Gateway to detect and prevent port scan.