fwaccel dos deny

Description

The "fwaccel dos deny" (for IPv4) and "fwaccel6 dos deny" (for IPv6) commands control the IP deny-list in SecureXL.

The deny-list blocks all traffic to and from the specified IP addresses.

The deny-list drops occur in SecureXL, which is more efficient than an Access Control Policy to drop the packets.

Important:

  • By default, the IP deny-list feature is enabled, without a Rate Limiting policy.

  • By design, if you change the IP addresses in the Deny List with command line options and not through the corresponding files in the $FWDIR/conf/deny_lists/ directory, then these changes do not survive a reboot.

  • The Deny List scales up to millions of IP addresses.

  • To enforce the IP deny-list in SecureXL, you must first enable the IP deny-lists.

    See these commands:

  • In a Cluster, you must configure all the Cluster Members in the same way.

  • On Scalable Platforms (ElasticXL, Maestro, and Chassis), you must connect to the Gaia Portal of the applicable Security Group.

    On Scalable Platforms (ElasticXL, Maestro, Scalable Chassis), you must run the required commands only in this way:

    • On the Security Group command line, only on the SMO Security Group Member.

    • In the Global Gaia Clish (gclish), must run these commands:

      • fwaccel dos <Options>

      • fwaccel6 dos <Options>

    • In the Expert mode, must run these commands (start with the "g_" prefix):

      • g_fwaccel dos <Options>

      • g_fwaccel6 dos <Options>

  • In the VSNext mode / Traditional VSX mode, you must go to the context of an applicable Virtual Gateway / Virtual System.

    • In Gaia Clish, run: set virtual-system <VSID>

    • In the Expert mode, run: vsenv <VSID>

Syntax

{fwaccel | fwaccel6} dos deny

      {-h | --help}

      allow

            {-h | --help}

            {-a | --add} <IP Address>[/<Subnet Mask Length>]

            {-d | --delete} <IP Address>[/<Subnet Mask Length>]

            {-F | --flush}

            {-l | --load} /<Path>/<Name of File>

            {-s | --show}

      {-a | --add} <IP Address>

      {-c | --show-config}

      {-d | --delete} <IP Address>

      {-E | --set-enabled} {on | off}

      {-F | --flush}

      {-G | --set-log-drops} {on | off}

      {-I | --set-enforce-internal} {on | off}

      {-l | --load} /<Path>/<Name of File>

      {-L | --load-default}

      {-M | --set-monitor-only} {on | off}

      {-N | --set-name} "<Name of IP Deny-list>"

      {-O | --set-notif-rate} <Number>

      {-R | --set-tcp-rst} {on | off}

      {-s | --show}

Parameters

Parameter

Description

No Parameters

Shows the applicable built-in usage.

-h

--help}

Shows the applicable built-in usage.

allow <options>

Adds an IP address of a host or a network to a persistent "Allow List", so this IP address is not affected by the DoS / Rate Limiting protection:

  • -h

    --help

    Shows the applicable built-in usage.

  • -a <IP Address>[/<Subnet Mask Length>]

    --add <IP Address>[/<Subnet Mask Length>]

    Add an IP address in the CIDR notation to the override allow-list.

    • <IP Address>

      The IP address of a network or a host.

    • /<Subnet Mask Length>

      Must specify the length of the subnet mask from /1 to /32.

      Optional for a host IP address.

      Mandatory for a network IP address.

      Important - If you do not specify the subnet mask length explicitly, this command uses the subnet mask length /32.

  • -d <IP Address>[/<Subnet Mask Length>]

    --delete <IP Address>[/<Subnet Mask Length>]

    Deletes an IP address in the CIDR notation from the override allow-list.

  • -F

    --flush

    Removes (flushes) all IP addresses from the override allow-list.

  • -l /<Path>/<Name of File>

    --load /<Path>/<Name of File>

    Loads the IP addresses into the override allow-list from the specified file.

    This file must contain IP addresses of hosts or networks in the CIDR notation, each IP address on a new line.

  • -s

    --show

    Shows the configured allow-list.

-a <IP Address>

--add <IP Address>

Adds the specified IP address to the deny-list.

Note - To add more than one IP address, run this command for each applicable IP address.

-c

--show-config

Shows the current configuration.

-d <IP Address>

--delete <IP Address>

Removes the specified IP addresses from the deny-list.

Note - To remove more than one IP address, run this command for each applicable IP address.

-E {on | off}

--set-enabled {on | off}

Enables (on) or disables (off) the feature.

Notes:

  • By default, the IP deny-list feature is enabled without a Rate Limiting policy.

  • This change survives a reboot.

-F

--flush

Removes (flushes) all IP addresses from the IP deny-list.

Notes:

  • You can use this parameter "{-F | --flush}" with the parameter "{-a | --add}".

  • You can use this parameter "{-F | --flush}" with the parameter "{-d | --delete}".

  • You can use this parameter "{-F | --flush}" with the parameter "{-l | --load}".

-G {on | off}

--set-log-drops {on | off}

Enables (on) or disables (off) the logging of packet drops.

Notes:

  • By default, the Security Gateway generates the "Drop" logs for traffic that the DoS / Rate Limiting feature blocked.

  • By default, logging of packet drops is enabled.

-I {on | off}

--set-enforce-internal {on | off}

Enables (on) or disables (off) the enforcement on interfaces, whose topology is configured as "Internal" in the Security Gateway object.

Notes:

  • By default, DoS / Rate Limiting enforcement is disabled on interfaces, for which you configured the "Internal" topology in the Security Gateway / Cluster object.

    This is because the internal interfaces are assumed to be connected to trusted networks.

  • This change survives a reboot.

-l /<Path>/<Name of File>

--load /<Path>/<Name of File>

Loads the IP addresses from the specified file.

When dealing with large deny lists, the "add" command is cumbersome.

Running a large number of "add" commands simultaneously (for example, with a shell script) can cause additional load on the Security Gateway's CPU.

To configure large deny lists, it is better to add the list of IP addresses in a file, and then load the file in a single operation.

Notes:

  • This file must contain IP addresses of hosts or networks in the CIDR notation, each IP address on a new line.

  • To add a comment line, it must start with the pound character "#".

  • The "fwaccel" command silently ignores all IPv6 addresses in the file.

  • The "fwaccel6" command silently ignores all IPv4 addresses in the file.

  • You may load multiple files at the same time.

-L

--load-default}

Load all files from the $FWDIR/conf/deny_lists/ directory into the IP deny-list.

Note - The Security Gateway runs this command automatically during each boot.

-M {on | off}

--set-monitor-only {on | off}

Enables (on) or disables (off) the monitor-only mode for the IP deny-list.

In the monitor-only mode you can test the IP deny-list without blocking the traffic.

The Security Gateway does not block traffic, but still generates a log.

Notes:

  • By default, the monitor-only mode is disabled.

  • This change survives a reboot.

  • This command affects only the IP deny-list (does not affect the fw samp rules, etc.).

  • In addition to the Monitor-only mode, DoS / Rate Limiting has a more granular option to monitor packets on a rule-by-rule basis by specifying the action to be "notify" instead of the default action "drop".

    See fwaccel dos rate.

-N "<Name of IP Deny-list>"

--set-name "<Name of IP Deny-list>"

Configures the name for the IP deny-list.

This name appears in the Security Gateway logs.

Notes:

  • The default name is "Deny List".

  • This change survives a reboot.

  • Maximum name length is 79 characters.

  • You must use only ASCII characters.

-O <Number>

--set-notif-rate <Number>

Configures the maximum number of logs per second for packet drops.

When DoS / Rate Limiting blocks many packets, it can be important to limit the maximum number of the drop logs that the Security Gateway generates per second.

Notes:

  • The default logging rate is 100 logs/second.

  • This change survives a reboot.

-R {on | off}

--set-tcp-rst {on | off}

Enables (on) or disables (off) the response with the TCP [RST] packet for TCP connections that the IP deny-list blocked.

Notes:

  • By default, SecureXL does not send the TCP [RST] packet for blocked TCP connections.

  • This change survives a reboot.

-s

--show

Shows the IP addresses in the IP deny-list.

Example from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos deny -c
Deny List:
    Status                            on (without policy)
    Internal Interfaces               off
    Monitor-Only                      off
    Log Drops                         on
    Max Notifications Per-Second      100 logs/second
    Send TCP Reset                    off
    Name                              Deny List
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
The deny list is empty
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -a 1.1.1.1
Adding 1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
1.1.1.1
[Expert@MyGW:0]# fwaccel dos deny -a 2.2.2.2
Adding 2.2.2.2
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
2.2.2.2
1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -d 2.2.2.2
Deleting 2.2.2.2
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -F
All deny list entries deleted
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
The deny list is empty
[Expert@MyGW:0]#