fwaccel dos pbox
Description
The fwaccel dos pbox command controls the Penalty Box allow-list in SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway..
The SecureXL Penalty Box is a mechanism that performs an early drop of packets that arrive from suspected sources. The purpose of this feature is to allow the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. to cope better under high traffic load, possibly caused by a DoS/DDoS attack.
The SecureXL Penalty Box detects clients that send packets, which the Access Control Policy drops, and clients that violate the IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). protections. If the SecureXL Penalty Box detects a specific client frequently, it puts that client in a penalty box. From that point, SecureXL drops all packets that arrive from the blocked source IP address.
The Penalty Box allow-list in SecureXL configures the source IP addresses, which the SecureXL Penalty Box never blocks.
|
Important:
|
Syntax for IPv4
|
Parameters
Parameter |
Description |
||||
---|---|---|---|---|---|
No Parameters |
Shows the applicable built-in usage. |
||||
|
Configures the allow-list for source IP addresses in the SecureXL Penalty Box.
|
||||
|
Adds the specified IP address to the Penalty Box allow-list.
Examples:
|
||||
|
Removes the specified IP address from the Penalty Box allow-list.
|
||||
|
Removes (flushes) all entries from the Penalty Box allow-list. |
||||
|
Loads the Penalty Box allow-list entries from the specified plain-text file.
|
||||
|
Loads the Penalty Box allow-list entries from the plain-text file with a predefined name:
Security Gateway automatically runs this command "
|
||||
|
Shows the current Penalty Box allow-list entries. |
||||
|
Removes (flushes) all source IP addresses from the Penalty Box. |
Example 1 - Adding a host IP address without optional subnet prefix
[Expert@MyGW:0]# fwaccel dos pbox allow -a 192.168.20.40 [Expert@MyGW:0]# [Expert@MyGW:0]# fwaccel dos pbox allow -s 192.168.20.40/32 [Expert@MyGW:0]# [Expert@MyGW:0]# fwaccel dos pbox allow -F [Expert@MyGW:0]# fwaccel dos pbox allow -s [Expert@MyGW:0]# |
Example 2 - Adding a host IP address with optional subnet prefix
[Expert@MyGW:0]# fwaccel dos pbox allow -a 192.168.20.40/32 [Expert@MyGW:0]# [Expert@MyGW:0]# fwaccel dos pbox allow -s 192.168.20.40/32 [Expert@MyGW:0]# [Expert@MyGW:0]# fwaccel dos pbox allow -F [Expert@MyGW:0]# fwaccel dos pbox allow -s [Expert@MyGW:0]# |
Example 3 - Adding a network IP address with mandatory subnet prefix
[Expert@MyGW:0]# fwaccel dos pbox allow -a 192.168.20.0/24 [Expert@MyGW:0]# [Expert@MyGW:0]# fwaccel dos pbox allow -s 192.168.20.0/24 [Expert@MyGW:0]# [Expert@MyGW:0]# fwaccel dos pbox allow -F [Expert@MyGW:0]# fwaccel dos pbox allow -s [Expert@MyGW:0]# |
Example 4 - Deleting an entry
[Expert@MyGW:0]# fwaccel dos pbox allow -a 192.168.20.40/32 [Expert@MyGW:0]# [Expert@MyGW:0]# fwaccel dos pbox allow -a 192.168.20.70/32 [Expert@MyGW:0]# [Expert@MyGW:0]# fwaccel dos pbox allow -s 192.168.20.40/32 192.168.20.70/32 [Expert@MyGW:0]# fwaccel dos pbox allow -d 192.168.20.70/32 [Expert@MyGW:0]# [Expert@MyGW:0]# fwaccel dos pbox allow -s 192.168.20.40/32 [Expert@MyGW:0]# |