fwaccel dos drop_frags

Description

The "fwaccel dos drop_frags" (for IPv4) and "fwaccel6 dos drop_frags" (for IPv6) commands control the drop of IP Fragments in SecureXL.

Important:

  • By default, drops of IP Fragments are disabled.

  • In a Cluster, you must configure all the Cluster Members in the same way.

  • On Scalable Platforms (ElasticXL, Maestro, and Chassis), you must connect to the Gaia Portal of the applicable Security Group.

    On Scalable Platforms (ElasticXL, Maestro, Scalable Chassis), you must run the required commands only in this way:

    • On the Security Group command line, only on the SMO Security Group Member.

    • In the Global Gaia Clish (gclish), must run these commands:

      • fwaccel dos <Options>

      • fwaccel6 dos <Options>

    • In the Expert mode, must run these commands (start with the "g_" prefix):

      • g_fwaccel dos <Options>

      • g_fwaccel6 dos <Options>

  • In the VSNext mode / Traditional VSX mode, you must go to the context of an applicable Virtual Gateway / Virtual System.

    • In Gaia Clish, run: set virtual-system <VSID>

    • In the Expert mode, run: vsenv <VSID>

  • These commands survive a reboot.

Syntax

{fwaccel | fwaccel6} dos drop_frags

      {-h | --help}

      allow

            {-h | --help}

            {-a | --add} <IP Address>[/<Subnet Mask Length>]

            {-d | --delete} <IP Address>[/<Subnet Mask Length>]

            {-F | --flush}

            {-l | --load} /<Path>/<Name of File>

            {-s | --show}

      {-c | --show-config}

      {-E | --set-enabled} {on | off}

      {-G | --set-log-drops} {on | off}

      {-I | --set-enforce-internal} {on | off}

      {-M | --set-monitor-only} {on | off}

      {-O | --set-notif-rate} <Number>}

Parameters

Parameter

Description

No Parameters

Shows the applicable built-in usage.

-h

--help}

Shows the applicable built-in usage.

allow <options>

Adds an IP address of a host or a network to a persistent "Allow List", so this IP address is not affected by the DoS / Rate Limiting protection:

  • -h

    --help

    Shows the applicable built-in usage.

  • -a <IP Address>[/<Subnet Mask Length>]

    --add <IP Address>[/<Subnet Mask Length>]

    Add an IP address in the CIDR notation to the override allow-list.

    • <IP Address>

      The IP address of a network or a host.

    • /<Subnet Mask Length>

      Must specify the length of the subnet mask from /1 to /32.

      Optional for a host IP address.

      Mandatory for a network IP address.

      Important - If you do not specify the subnet mask length explicitly, this command uses the subnet mask length /32.

  • -d <IP Address>[/<Subnet Mask Length>]

    --delete <IP Address>[/<Subnet Mask Length>]

    Deletes an IP address in the CIDR notation from the override allow-list.

  • -F

    --flush

    Removes (flushes) all IP addresses from the override allow-list.

  • -l /<Path>/<Name of File>

    --load /<Path>/<Name of File>

    Loads the IP addresses into the override allow-list from the specified file.

    This file must contain IP addresses of hosts or networks in the CIDR notation, each IP address on a new line.

  • -s

    --show

    Shows the configured allow-list.

-c

--show-config

Shows the current configuration.

-E {on | off}

--set-enabled {on | off}

Enables (on) or disables (off) the feature.

Notes:

  • By default, drops of IP Fragments are disabled.

  • This change survives a reboot.

-G {on | off}

--set-log-drops {on | off}

Enables (on) or disables (off) the logging of packet drops.

Notes:

  • By default, the Security Gateway generates the "Drop" logs for traffic that the DoS / Rate Limiting feature blocked.

  • By default, logging of packet drops is enabled.

-I {on | off}

--set-enforce-internal {on | off}

Enables (on) or disables (off) the enforcement on interfaces, whose topology is configured as "Internal" in the Security Gateway object.

Notes:

  • By default, DoS / Rate Limiting enforcement is disabled on interfaces, for which you configured the "Internal" topology in the Security Gateway / Cluster object.

    This is because the internal interfaces are assumed to be connected to trusted networks.

  • This change survives a reboot.

-M {on | off}

--set-monitor-only {on | off}

Enables (on) or disables (off) the monitor-only mode for the IP deny-list.

In the monitor-only mode you can test the drops of IP Fragments without blocking the traffic.

The Security Gateway does not block traffic, but still generates a log.

Notes:

  • By default, the monitor-only mode is disabled.

  • This change survives a reboot.

  • This command affects only the IP deny-list (does not affect the fw samp rules, etc.).

  • In addition to the Monitor-only mode, DoS / Rate Limiting has a more granular option to monitor packets on a rule-by-rule basis by specifying the action to be "notify" instead of the default action "drop".

    See fwaccel dos rate.

-O <Number>

--set-notif-rate <Number>

Configures the maximum number of logs per second for packet drops.

When DoS / Rate Limiting blocks many packets, it can be important to limit the maximum number of the drop logs that the Security Gateway generates per second.

Notes:

  • The default logging rate is 100 logs/second.

  • This change survives a reboot.

Example from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos drop_frags -c
Disallow IPv4 Fragments:
    Status                            off
    Internal Interfaces               off
    Monitor-Only                      off
    Log Drops                         on
    Max Notifications Per-Second      100 logs/second
[Expert@MyGW:0]#