fwaccel dos config

Description

The "fwaccel dos config" (for IPv4) and "fwaccel6 dos config" (for IPv6) commands show the global configuration parameters of the Rate Limiting for DoS mitigation in SecureXL.

These global parameters apply to all configured Rate Limiting rules.

Important:

  • In a Cluster, you must configure all the Cluster Members in the same way.

  • On Scalable Platforms (ElasticXL, Maestro, and Chassis), you must connect to the Gaia Portal of the applicable Security Group.

    On Scalable Platforms (ElasticXL, Maestro, Scalable Chassis), you must run the required commands only in this way:

    • On the Security Group command line, only on the SMO Security Group Member.

    • In the Global Gaia Clish (gclish), must run these commands:

      • fwaccel dos <Options>

      • fwaccel6 dos <Options>

    • In the Expert mode, must run these commands (start with the "g_" prefix):

      • g_fwaccel dos <Options>

      • g_fwaccel6 dos <Options>

  • In the VSNext mode / Traditional VSX mode, you must go to the context of an applicable Virtual Gateway / Virtual System.

    • In Gaia Clish, run: set virtual-system <VSID>

    • In the Expert mode, run: vsenv <VSID>

Syntax

{fwaccel | fwaccel6} dos config

      get

      set <options>

      reset-to-default

Parameters and Options

Parameter or Option

Description

No Parameters

Shows the applicable built-in usage.

get

Shows the configuration parameters.

set <options>

This parameter is deprecated starting in R82.

Use these commands:

reset-to-default

Resets the configuration parameters to their default values.

Note - This command does not affect the rate limit rules, IP values in deny-lists or allow-lists.

Example

[Expert@MyGW>:0]# fwaccel dos config get
Rate Limit Rules:
    Status                            on (without policy)
    Internal Interfaces               off
    Monitor-Only                      off
    Log Drops                         on
    Max Notifications Per-Second      100 logs/second
    Rule Cache                        on

Penalty Box:
    Status                            off
    Internal Interfaces               off
    Monitor-Only                      off
    Log Drops                         on
    Max Notifications Per-Second      100 logs/second
    Send TCP Reset                    off
    Timeout for Blocked IPs           180 seconds
    Has Blocked IPs                   no
    Log when a new IP is blocked      on
    Drop rate to trigger on           500 packets/second

Deny List:
    Status                            on (without policy)
    Internal Interfaces               off
    Monitor-Only                      off
    Log Drops                         on
    Max Notifications Per-Second      100 logs/second
    Send TCP Reset                    off
    Name                              Deny List

Disallow IPv4 Fragments:
    Status                            off
    Internal Interfaces               off
    Monitor-Only                      off
    Log Drops                         on
    Max Notifications Per-Second      100 logs/second

Disallow IP Options:
    Status                            off
    Internal Interfaces               off
    Monitor-Only                      off
    Log Drops                         on
    Max Notifications Per-Second      100 logs/second

IOC deny list (from files):
    Status                            on (without policy)
    Internal Interfaces               on
    Monitor-Only                      off
    Log Drops                         on
    Send TCP Reset                    off

IOC monitor-only list (from files):
    Status                            on (without policy)
    Internal Interfaces               on
    Monitor-Only                      on
    Log Drops                         on
    Send TCP Reset                    off

IOC deny list (from external feeds):
    Status                            on (without policy)
    Internal Interfaces               on
    Monitor-Only                      off
    Log Drops                         on
    Send TCP Reset                    off

IOC monitor-only list (from external feeds):
    Status                            on (without policy)
    Internal Interfaces               on
    Monitor-Only                      on
    Log Drops                         on
    Send TCP Reset                    off

[Expert@MyGW>:0]#