fwaccel dos drop_frags

Description

The "fwaccel dos drop_frags" (for IPv4) and "fwaccel6 dos drop_frags" (for IPv6) commands control the drop of IP Fragments in SecureXL.

Important:

  • By default, drops of IP Fragments are disabled.

  • In a Cluster, you must configure all the Cluster Members in the same way.

  • (missing or bad snippet)

    On Scalable Platforms (ElasticXL, Maestro, Scalable Chassis), you must run the required commands only in this way:

    • On the Security Group command line, only on the SMO Security Group Member.

    • In the Global Gaia Clish (gclish), must run these commands:

      • fwaccel dos <Options>

      • fwaccel6 dos <Options>

    • In the Expert mode, must run these commands (start with the "g_" prefix):

      • g_fwaccel dos <Options>

      • g_fwaccel6 dos <Options>

  • In the VSNext mode / Traditional VSX mode, you must go to the context of an applicable Virtual Gateway / Virtual System.

    • In Gaia Clish, run: set virtual-system <VSID>

    • In the Expert mode, run: vsenv <VSID>

  • These commands survive a reboot.

Syntax

{fwaccel | fwaccel6} dos drop_frags

      {-h | --help}

      allow

            {-h | --help}

            {-a | --add} <IP Address>[/<Subnet Mask Length>]

            {-d | --delete} <IP Address>[/<Subnet Mask Length>]

            {-F | --flush}

            {-l | --load} /<Path>/<Name of File>

            {-s | --show}

      {-c | --show-config}

      {-E | --set-enabled} {on | off}

      {-G | --set-log-drops} {on | off}

      {-I | --set-enforce-internal} {on | off}

      {-M | --set-monitor-only} {on | off}

      {-O | --set-notif-rate} <Number>}

Parameters

Parameter

Description

No Parameters

Shows the applicable built-in usage.

-h

--help}

Shows the applicable built-in usage.

allow <options>

Adds an IP address of a host or a network to a persistent "Allow List", so this IP address is not affected by the DoS / Rate Limiting protection:

  • -h

    --help

    Shows the applicable built-in usage.

  • -a <IP Address>[/<Subnet Mask Length>]

    --add <IP Address>[/<Subnet Mask Length>]

    Add an IP address in the CIDR notation to the override allow-list.

    • <IP Address>

      The IP address of a network or a host.

    • /<Subnet Mask Length>

      Must specify the length of the subnet mask from /1 to /32.

      Optional for a host IP address.

      Mandatory for a network IP address.

      Important - If you do not specify the subnet mask length explicitly, this command uses the subnet mask length /32.

  • -d <IP Address>[/<Subnet Mask Length>]

    --delete <IP Address>[/<Subnet Mask Length>]

    Deletes an IP address in the CIDR notation from the override allow-list.

  • -F

    --flush

    Removes (flushes) all IP addresses from the override allow-list.

  • -l /<Path>/<Name of File>

    --load /<Path>/<Name of File>

    Loads the IP addresses into the override allow-list from the specified file.

    This file must contain IP addresses of hosts or networks in the CIDR notation, each IP address on a new line.

  • -s

    --show

    Shows the configured allow-list.

-c

--show-config

Shows the current configuration.

-E {on | off}

--set-enabled {on | off}

Enables (on) or disables (off) the feature.

Notes:

  • By default, drops of IP Fragments are disabled.

  • This change survives a reboot.

-G {on | off}

--set-log-drops {on | off}

Enables (on) or disables (off) the logging of packet drops.

Notes:

  • By default, the Security Gateway generates the "Drop" logs for traffic that the DoS / Rate Limiting feature blocked.

  • By default, logging of packet drops is enabled.

-I {on | off}

--set-enforce-internal {on | off}

Enables (on) or disables (off) the enforcement on interfaces, whose topology is configured as "Internal" in the Security Gateway object.

Notes:

  • By default, DoS / Rate Limiting enforcement is disabled on interfaces, for which you configured the "Internal" topology in the Security Gateway / Cluster object.

    This is because the internal interfaces are assumed to be connected to trusted networks.

  • This change survives a reboot.

-M {on | off}

--set-monitor-only {on | off}

Enables (on) or disables (off) the monitor-only mode for the IP deny-list.

In the monitor-only mode you can test the drops of IP Fragments without blocking the traffic.

The Security Gateway does not block traffic, but still generates a log.

Notes:

  • By default, the monitor-only mode is disabled.

  • This change survives a reboot.

  • This command affects only the IP deny-list (does not affect the fw samp rules, etc.).

  • In addition to the Monitor-only mode, DoS / Rate Limiting has a more granular option to monitor packets on a rule-by-rule basis by specifying the action to be "notify" instead of the default action "drop".

    See fwaccel dos rate.

-O <Number>

--set-notif-rate <Number>

Configures the maximum number of logs per second for packet drops.

When DoS / Rate Limiting blocks many packets, it can be important to limit the maximum number of the drop logs that the Security Gateway generates per second.

Notes:

  • The default logging rate is 100 logs/second.

  • This change survives a reboot.

Example from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos drop_frags -c
Disallow IPv4 Fragments:
    Status                            off
    Internal Interfaces               off
    Monitor-Only                      off
    Log Drops                         on
    Max Notifications Per-Second      100 logs/second
[Expert@MyGW:0]#