fwaccel dos pbox

Description

The "fwaccel dos pbox" (for IPv4) and "fwaccel6 dos pbox" (for IPv6) commands control the Penalty Box deny-list in SecureXL.

The SecureXL Penalty Box is a mechanism that performs an early drop of packets that arrive from suspected sources. The purpose of this feature is to allow the Security Gateway to cope better under high traffic load, possibly caused by a DoS/DDoS attack.

The SecureXL Penalty Box detects clients that send packets, which the Access Control Policy drops, and clients that violate the IPS protections. If the SecureXL Penalty Box detects a specific client frequently, it puts that client in a penalty box. From that point, SecureXL drops all packets that arrive from the blocked source IP address.

The Penalty Box allow-list in SecureXL configures the source IP addresses, which the SecureXL Penalty Box never blocks.

Important:

By default, the Penalty Box is disabled.
To enforce the Penalty Box in SecureXL, you must first enable the Penalty Box.

See:
- fwaccel dos config
In a Cluster, you must configure all the Cluster Members in the same way.
On Scalable Platforms (ElasticXL, Maestro, and Chassis), you must connect to the Gaia Portal of the applicable Security Group.

On Scalable Platforms (ElasticXL, Maestro, Scalable Chassis), you must run the required commands only in this way:
- On the Security Group command line, only on the SMO Security Group Member.
- In the Global Gaia Clish (gclish), must run these commands:
  - fwaccel dos <Options>
  - fwaccel6 dos <Options>
- In the Expert mode, must run these commands (start with the "g_" prefix):
  - g_fwaccel dos <Options>
  - g_fwaccel6 dos <Options>
In the VSNext mode / Traditional VSX mode, you must go to the context of an applicable Virtual Gateway / Virtual System.
- In Gaia Clish, run: set virtual-system <VSID>
- In the Expert mode, run: vsenv <VSID>
In a Scalable Platform, when you add a new Security Group Member to a Security Group, the new Security Group Member pulls these configuration files:
- $FWDIR/conf/pbox-whitelist-v4.conf
- $FWDIR/conf/pbox-whitelist-v6.conf

Syntax

{fwaccel | fwaccel6} dos pbox

{-h | --help}

allow

{-h | --help}

{-a | --add} <IP Address>[/<Subnet Mask>]

{-d | --delete} <IP Address>[/<Subnet Mask>]

{-F | --flush}

{-l | --load} /<Path>/<Name of File>

{-s | --show}

{-c | --show-config}

{-E | --set-enabled} {on | off}

{-F | --flush}

{-G | --set-log-drops} {on | off}

{-I | --set-enforce-internal} {on | off}

{-L | --set-log-reported} {on | off}

{-M | --set-monitor-only} {on | off}

{-O | --set-notif-rate} <Number>}

{-P | --set-drops-threshold} <Number>}

{-R | --set-tcp-rst} {on | off}

{-s | --show}

{-T | --set-timeout} <Number>}

Parameters

Parameter

Description

No Parameters

Shows the applicable built-in usage.

-h

--help}

Shows the applicable built-in usage.

allow <options>

Important - Before you use a 3rd-party or automatic blacklists, add trusted networks and hosts to this allow-list to avoid outages.

Adds an IP address of a host or a network to a persistent "Allow List", so this IP address is not affected by the DoS / Rate Limiting protection:

-h

--help

Shows the applicable built-in usage.

-a <IP Address>[/<Subnet Mask Length>]

--add <IP Address>[/<Subnet Mask Length>]

Add an IP address in the CIDR notation to the override allow-list.

<IP Address>

The IP address of a network or a host.

/<Subnet Mask Length>

Must specify the length of the subnet mask from /1 to /32.

Optional for a host IP address.

Mandatory for a network IP address.

Important - If you do not specify the subnet mask length explicitly, this command uses the subnet mask length /32.

-d <IP Address>[/<Subnet Mask Length>]

--delete <IP Address>[/<Subnet Mask Length>]

Deletes an IP address in the CIDR notation from the override allow-list.
-F

--flush

Removes (flushes) all IP addresses from the override allow-list.
-l /<Path>/<Name of File>

--load /<Path>/<Name of File>

Loads the IP addresses into the override allow-list from the specified file.

This file must contain IP addresses of hosts or networks in the CIDR notation, each IP address on a new line.
-s

--show

Shows the configured allow-list.

-a <IP Address>

--add <IP Address>

Adds the specified IP address to the deny-list.

Note - To add more than one IP address, run this command for each applicable IP address.

-c

--show-config

Shows the current configuration.

-d <IP Address>

--delete <IP Address>

Removes the specified IP addresses from the deny-list.

Note - To remove more than one IP address, run this command for each applicable IP address.

-E {on | off}

--set-enabled {on | off}

Enables (on) or disables (off) the feature.

Notes:

By default, the Penalty Box is disabled.
This change survives a reboot.

-F

--flush

Removes (flushes) all IP addresses from the Penalty Box.

Notes:

You can use this parameter "{-F | --flush}" with the parameter "{-a | --add}".
You can use this parameter "{-F | --flush}" with the parameter "{-d | --delete}".
You can use this parameter "{-F | --flush}" with the parameter "{-l | --load}".

-G {on | off}

--set-log-drops {on | off}

Enables (on) or disables (off) the logging of packet drops.

Notes:

By default, the Security Gateway generates the "Drop" logs for traffic that the DoS / Rate Limiting feature blocked.
By default, logging of packet drops is enabled.

-I {on | off}

--set-enforce-internal {on | off}

Enables (on) or disables (off) the enforcement on interfaces, whose topology is configured as "Internal" in the Security Gateway object.

Notes:

By default, DoS / Rate Limiting enforcement is disabled on interfaces, for which you configured the "Internal" topology in the Security Gateway / Cluster object.

This is because the internal interfaces are assumed to be connected to trusted networks.
This change survives a reboot.

-L {on | off}

--set-log-reported {on | off}

Enables (on) or disables (off) the logging of IP addresses that were added to the Penalty Box.

Notes:

By default, logging of IP addresses that were added to the Penalty Box is enabled.
This change survives a reboot.

-M {on | off}

--set-monitor-only {on | off}

Enables (on) or disables (off) the monitor-only mode for the IP deny-list.

In the monitor-only mode you can test the IP deny-list without blocking the traffic.

The Security Gateway does not block traffic, but still generates a log.

Notes:

By default, the monitor-only mode is disabled.
This change survives a reboot.
This command affects only the IP deny-list (does not affect the fw samp rules, etc.).
In addition to the Monitor-only mode, DoS / Rate Limiting has a more granular option to monitor packets on a rule-by-rule basis by specifying the action to be "notify" instead of the default action "drop".

See fwaccel dos rate.

-O <Number>

--set-notif-rate <Number>

Configures the maximum number of logs per second for packet drops.

When DoS / Rate Limiting blocks many packets, it can be important to limit the maximum number of the drop logs that the Security Gateway generates per second.

Notes:

The default logging rate is 100 logs/second.
This change survives a reboot.

-P <Number>

--set-drops-threshold <Number>

Configures the minimum number of dropped packets per second from a source to trigger the Penalty Box for that source.

Notes:

The default drop rate is 500 packets/second.
This change survives a reboot.

-R {on | off}

--set-tcp-rst {on | off}

Enables (on) or disables (off) the response with the TCP [RST] packet for TCP connections that the IP deny-list blocked.

Notes:

By default, SecureXL does not send the TCP [RST] packet for blocked TCP connections.
This change survives a reboot.

-s

--show

Shows the IP addresses in the IP deny-list.

-T <Number>

--set-timeout <Number>

Configures the timeout (in seconds) for blocked IP addresses in the Penalty Box.

After this timeout reaches 0, SecureXL removes the blocked IP address from the Penalty Box.

Notes:

The default timeout is 180 seconds.
This change survives a reboot.

Example 1 - Default Configuration

[Expert@MyGW:0]# fwaccel dos pbox -c
Penalty Box:
    Status                            off
    Internal Interfaces               off
    Monitor-Only                      off
    Log Drops                         on
    Max Notifications Per-Second      100 logs/second
    Send TCP Reset                    off
    Timeout for Blocked IPs           180 seconds
    Has Blocked IPs                   no
    Log when a new IP is blocked      on
    Drop rate to trigger on           500 packets/second
[Expert@MyGW:0]#

Example 2 - Adding a host IP address without the optional subnet mask length

[Expert@MyGW:0]# fwaccel dos pbox allow -a 192.168.20.40
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -s
192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -F
[Expert@MyGW:0]# fwaccel dos pbox allow -s
[Expert@MyGW:0]#

Example 3 - Adding a host IP address with the optional subnet mask length

[Expert@MyGW:0]# fwaccel dos pbox allow -a 192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -s
192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -F
[Expert@MyGW:0]# fwaccel dos pbox allow -s
[Expert@MyGW:0]#

Example 4 - Adding a network IP address with the mandatory subnet mask length

[Expert@MyGW:0]# fwaccel dos pbox allow -a 192.168.20.0/24
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -s
192.168.20.0/24
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -F
[Expert@MyGW:0]# fwaccel dos pbox allow -s
[Expert@MyGW:0]#

Example 5 - Deleting a host entry

[Expert@MyGW:0]# fwaccel dos pbox allow -a 192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -a 192.168.20.70/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -s
192.168.20.40/32
192.168.20.70/32
[Expert@MyGW:0]# fwaccel dos pbox allow -d 192.168.20.70/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -s
192.168.20.40/32
[Expert@MyGW:0]#