fwaccel dos deny

Description

The "fwaccel dos deny" (for IPv4) and "fwaccel6 dos deny" (for IPv6) commands control the IP deny-list in SecureXL.

The deny-list blocks all traffic to and from the specified IP addresses.

The deny-list drops occur in SecureXL, which is more efficient than an Access Control Policy to drop the packets.

Important:

  • By default, the IP deny-list feature is enabled, without a Rate Limiting policy.

  • By design, if you change the IP addresses in the Deny List with command line options and not through the corresponding files in the $FWDIR/conf/deny_lists/ directory, then these changes do not survive a reboot.

  • The Deny List scales up to millions of IP addresses.

  • To enforce the IP deny-list in SecureXL, you must first enable the IP deny-lists.

    See these commands:

  • In a Cluster, you must configure all the Cluster Members in the same way.

  • (missing or bad snippet)

    On Scalable Platforms (ElasticXL, Maestro, Scalable Chassis), you must run the required commands only in this way:

    • On the Security Group command line, only on the SMO Security Group Member.

    • In the Global Gaia Clish (gclish), must run these commands:

      • fwaccel dos <Options>

      • fwaccel6 dos <Options>

    • In the Expert mode, must run these commands (start with the "g_" prefix):

      • g_fwaccel dos <Options>

      • g_fwaccel6 dos <Options>

  • In the VSNext mode / Traditional VSX mode, you must go to the context of an applicable Virtual Gateway / Virtual System.

    • In Gaia Clish, run: set virtual-system <VSID>

    • In the Expert mode, run: vsenv <VSID>

Syntax

{fwaccel | fwaccel6} dos deny

      {-h | --help}

      allow

            {-h | --help}

            {-a | --add} <IP Address>[/<Subnet Mask Length>]

            {-d | --delete} <IP Address>[/<Subnet Mask Length>]

            {-F | --flush}

            {-l | --load} /<Path>/<Name of File>

            {-s | --show}

      {-a | --add} <IP Address>

      {-c | --show-config}

      {-d | --delete} <IP Address>

      {-E | --set-enabled} {on | off}

      {-F | --flush}

      {-G | --set-log-drops} {on | off}

      {-I | --set-enforce-internal} {on | off}

      {-l | --load} /<Path>/<Name of File>

      {-L | --load-default}

      {-M | --set-monitor-only} {on | off}

      {-N | --set-name} "<Name of IP Deny-list>"

      {-O | --set-notif-rate} <Number>

      {-R | --set-tcp-rst} {on | off}

      {-s | --show}

Parameters

Parameter

Description

No Parameters

Shows the applicable built-in usage.

-h

--help}

Shows the applicable built-in usage.

allow <options>

Adds an IP address of a host or a network to a persistent "Allow List", so this IP address is not affected by the DoS / Rate Limiting protection:

  • -h

    --help

    Shows the applicable built-in usage.

  • -a <IP Address>[/<Subnet Mask Length>]

    --add <IP Address>[/<Subnet Mask Length>]

    Add an IP address in the CIDR notation to the override allow-list.

    • <IP Address>

      The IP address of a network or a host.

    • /<Subnet Mask Length>

      Must specify the length of the subnet mask from /1 to /32.

      Optional for a host IP address.

      Mandatory for a network IP address.

      Important - If you do not specify the subnet mask length explicitly, this command uses the subnet mask length /32.

  • -d <IP Address>[/<Subnet Mask Length>]

    --delete <IP Address>[/<Subnet Mask Length>]

    Deletes an IP address in the CIDR notation from the override allow-list.

  • -F

    --flush

    Removes (flushes) all IP addresses from the override allow-list.

  • -l /<Path>/<Name of File>

    --load /<Path>/<Name of File>

    Loads the IP addresses into the override allow-list from the specified file.

    This file must contain IP addresses of hosts or networks in the CIDR notation, each IP address on a new line.

  • -s

    --show

    Shows the configured allow-list.

-a <IP Address>

--add <IP Address>

Adds the specified IP address to the deny-list.

Note - To add more than one IP address, run this command for each applicable IP address.

-c

--show-config

Shows the current configuration.

-d <IP Address>

--delete <IP Address>

Removes the specified IP addresses from the deny-list.

Note - To remove more than one IP address, run this command for each applicable IP address.

-E {on | off}

--set-enabled {on | off}

Enables (on) or disables (off) the feature.

Notes:

  • By default, the IP deny-list feature is enabled without a Rate Limiting policy.

  • This change survives a reboot.

-F

--flush

Removes (flushes) all IP addresses from the IP deny-list.

Notes:

  • You can use this parameter "{-F | --flush}" with the parameter "{-a | --add}".

  • You can use this parameter "{-F | --flush}" with the parameter "{-d | --delete}".

  • You can use this parameter "{-F | --flush}" with the parameter "{-l | --load}".

-G {on | off}

--set-log-drops {on | off}

Enables (on) or disables (off) the logging of packet drops.

Notes:

  • By default, the Security Gateway generates the "Drop" logs for traffic that the DoS / Rate Limiting feature blocked.

  • By default, logging of packet drops is enabled.

-I {on | off}

--set-enforce-internal {on | off}

Enables (on) or disables (off) the enforcement on interfaces, whose topology is configured as "Internal" in the Security Gateway object.

Notes:

  • By default, DoS / Rate Limiting enforcement is disabled on interfaces, for which you configured the "Internal" topology in the Security Gateway / Cluster object.

    This is because the internal interfaces are assumed to be connected to trusted networks.

  • This change survives a reboot.

-l /<Path>/<Name of File>

--load /<Path>/<Name of File>

Loads the IP addresses from the specified file.

When dealing with large deny lists, the "add" command is cumbersome.

Running a large number of "add" commands simultaneously (for example, with a shell script) can cause additional load on the Security Gateway's CPU.

To configure large deny lists, it is better to add the list of IP addresses in a file, and then load the file in a single operation.

Notes:

  • This file must contain IP addresses of hosts or networks in the CIDR notation, each IP address on a new line.

  • To add a comment line, it must start with the pound character "#".

  • The "fwaccel" command silently ignores all IPv6 addresses in the file.

  • The "fwaccel6" command silently ignores all IPv4 addresses in the file.

  • You may load multiple files at the same time.

-L

--load-default}

Load all files from the $FWDIR/conf/deny_lists/ directory into the IP deny-list.

Note - The Security Gateway runs this command automatically during each boot.

-M {on | off}

--set-monitor-only {on | off}

Enables (on) or disables (off) the monitor-only mode for the IP deny-list.

In the monitor-only mode you can test the IP deny-list without blocking the traffic.

The Security Gateway does not block traffic, but still generates a log.

Notes:

  • By default, the monitor-only mode is disabled.

  • This change survives a reboot.

  • This command affects only the IP deny-list (does not affect the fw samp rules, etc.).

  • In addition to the Monitor-only mode, DoS / Rate Limiting has a more granular option to monitor packets on a rule-by-rule basis by specifying the action to be "notify" instead of the default action "drop".

    See fwaccel dos rate.

-N "<Name of IP Deny-list>"

--set-name "<Name of IP Deny-list>"

Configures the name for the IP deny-list.

This name appears in the Security Gateway logs.

Notes:

  • The default name is "Deny List".

  • This change survives a reboot.

  • Maximum name length is 79 characters.

  • You must use only ASCII characters.

-O <Number>

--set-notif-rate <Number>

Configures the maximum number of logs per second for packet drops.

When DoS / Rate Limiting blocks many packets, it can be important to limit the maximum number of the drop logs that the Security Gateway generates per second.

Notes:

  • The default logging rate is 100 logs/second.

  • This change survives a reboot.

-R {on | off}

--set-tcp-rst {on | off}

Enables (on) or disables (off) the response with the TCP [RST] packet for TCP connections that the IP deny-list blocked.

Notes:

  • By default, SecureXL does not send the TCP [RST] packet for blocked TCP connections.

  • This change survives a reboot.

-s

--show

Shows the IP addresses in the IP deny-list.

Example from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos deny -c
Deny List:
    Status                            on (without policy)
    Internal Interfaces               off
    Monitor-Only                      off
    Log Drops                         on
    Max Notifications Per-Second      100 logs/second
    Send TCP Reset                    off
    Name                              Deny List
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
The deny list is empty
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -a 1.1.1.1
Adding 1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
1.1.1.1
[Expert@MyGW:0]# fwaccel dos deny -a 2.2.2.2
Adding 2.2.2.2
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
2.2.2.2
1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -d 2.2.2.2
Deleting 2.2.2.2
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -F
All deny list entries deleted
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
The deny list is empty
[Expert@MyGW:0]#