fwaccel dos rate

Description

The "fwaccel dos rate" (for IPv4) and "fwaccel6 dos rate" (for IPv6) commands show and install the Rate Limiting policy in SecureXL.

Important:

  • By default, the Rate Limiting policy feature is enabled without any rules.

  • In a Cluster, you must configure all the Cluster Members in the same way.

  • (missing or bad snippet)

    On Scalable Platforms (ElasticXL, Maestro, Scalable Chassis), you must run the required commands only in this way:

    • On the Security Group command line, only on the SMO Security Group Member.

    • In the Global Gaia Clish (gclish), must run these commands:

      • fwaccel dos <Options>

      • fwaccel6 dos <Options>

    • In the Expert mode, must run these commands (start with the "g_" prefix):

      • g_fwaccel dos <Options>

      • g_fwaccel6 dos <Options>

  • In the VSNext mode / Traditional VSX mode, you must go to the context of an applicable Virtual Gateway / Virtual System.

    • In Gaia Clish, run: set virtual-system <VSID>

    • In the Expert mode, run: vsenv <VSID>

Notes

  • If you install a new rate limiting policy with more than one rule, it automatically enables the rate limiting feature.

    To disable the rate limiting feature manually, run this command (see fwaccel dos config):

    {fwaccel | fwaccel6} dos config set --disable-rate-limit

  • To delete the current rate limiting policy, install a new policy with zero rules.

Syntax

{fwaccel | fwaccel6} dos rate {-h | --help}

{fwaccel | fwaccel6} dos rate

      add --help

      add [<SIC Connection>] <Options> <Match Conditions> <Limit> <Tracking>

      add batch /<Path>/<Name of File>

{fwaccel | fwaccel6} dos rate

      counters --help

      counters

      counters '<Rule Index>'

      counters '<Rule UID>'

{fwaccel | fwaccel6} dos rate

      del --help

      del all

      del '<Rule UID>'

      del batch /<Path>/<Name of File>

{fwaccel | fwaccel6} dos rate

      get --help

      get {-r | -l | -o /<Path>/<Name of File>}

      get [-n] -u '<Rule UID>'

      get [-n] -k <Search Key>

      get [-n] -v <Search Value>

      get --show-tab

      get --show-counters

{fwaccel | fwaccel6} dos rate

      {-c | --show-config}

      {-E | --set-enabled} {on | off}

      {-G | --set-log-drops} {on | off}

      {-I | --set-enforce-internal} {on | off}

      {-M | --set-monitor-only} {on | off}

      {-O | --set-notif-rate} <Number>}

      {-R | --set-rule-cache} {on | off}

Parameters

Parameter

Description

No Parameters

Shows the applicable built-in usage.

-h

--help}

Shows the applicable built-in usage.

add [<SIC Connection>] <Options> <Match Conditions> <Limit> <Tracking>

Adds one IPv4 rule to the Rate Limiting policy.

See Adding an IPv4 rule to the Rate Limiting policy.

add batch /<Path>/<Name of File>

Adds IPv4 rules in a batch mode to the Rate Limiting policy.

See Adding IPv4 rules in a batch mode to the Rate Limiting policy.

counters <options>

Shows the counters for all rules in the Rate Limiting policy.

See Viewing DoS / Rate Limiting Counters.

To reset counters, see fwaccel dos stats.

del all

Deletes all rules from the Rate Limiting policy.

del '<Rule UID>'

Deletes the specified rule from the Rate Limiting policy.

Important - The quote marks (single or double) and angle brackets ('<...>') are mandatory.

The '<Rule UID>' value is generated automatically when you add a rule.

To see the UID for each rule, run:

{fwaccel | fwaccel6} dos rate get

Example:

fwaccel dos rate del '<5779378c,00000000,64291eac,00005584>'

del batch /<Path>/<Name of File>

Deletes the specified rules in a batch mode from the Rate Limiting policy.

  1. Get the UID for each rule:

    {fwaccel | fwaccel6} dos rate get

  2. Save the required UID value in a plain-text file, one UID on each line.

  3. Delete the specified rules:

    {fwaccel | fwaccel6} del batch /<Path>/<Name of File>

get <options>

Shows information about the rules the Rate Limiting policy.

See Viewing information about the rules the Rate Limiting policy.

-c

--show-config

Shows the current configuration.

Example:

[Expert@MyGW:0]# fwaccel dos rate -c
Rate Limit Rules:
    Status                            on (without policy)
    Internal Interfaces               off
    Monitor-Only                      off
    Log Drops                         on
    Max Notifications Per-Second      100 logs/second
    Rule Cache                        on
[Expert@MyGW:0]#

-E {on | off}

--set-enabled {on | off}

Enables (on) or disables (off) the feature.

Notes:

  • By default, the Rate Limiting policy feature is enabled without any rules.

  • This change survives a reboot.

-G {on | off}

--set-log-drops {on | off}

Enables (on) or disables (off) the logging of packet drops.

Notes:

  • By default, the Security Gateway generates the "Drop" logs for traffic that the DoS / Rate Limiting feature blocked.

  • By default, logging of packet drops is enabled.

-I {on | off}

--set-enforce-internal {on | off}

Enables (on) or disables (off) the enforcement on interfaces, whose topology is configured as "Internal" in the Security Gateway object.

Notes:

  • By default, DoS / Rate Limiting enforcement is disabled on interfaces, for which you configured the "Internal" topology in the Security Gateway / Cluster object.

    This is because the internal interfaces are assumed to be connected to trusted networks.

  • This change survives a reboot.

-M {on | off}

--set-monitor-only {on | off}

Enables (on) or disables (off) the monitor-only mode for the IP deny-list.

In the monitor-only mode you can test the drops of IP Fragments without blocking the traffic.

The Security Gateway does not block traffic, but still generates a log.

Notes:

  • By default, the monitor-only mode is disabled.

  • This change survives a reboot.

  • This command affects only the IP deny-list (does not affect the fw samp rules, etc.).

  • In addition to the Monitor-only mode, DoS / Rate Limiting has a more granular option to monitor packets on a rule-by-rule basis by specifying the action to be "notify" instead of the default action "drop".

-O <Number>

--set-notif-rate <Number>

Configures the maximum number of logs per second for packet drops.

When DoS / Rate Limiting blocks many packets, it can be important to limit the maximum number of the drop logs that the Security Gateway generates per second.

Notes:

  • The default logging rate is 100 logs/second.

  • This change survives a reboot.

-R {on | off}

--set-rule-cache {on | off}

Enables (on) or disables (off) the rule cache.

Notes:

  • By default, the rule cache is enabled for maximum performance.

  • This change survives a reboot.

Adding an IPv4 rule to the Rate Limiting policy

Syntax

{fwaccel | fwaccel6} dos rate add [<SIC Connection>] <Options> <Match Conditions> <Limit> <Tracking>

Parameters

You can use this optional parameter only when running the command from the Management Server's command-line to configure DoS / Rate Limiting policy rules on a Security Gateway / each Cluster Member.

Use on of these:

  • -S <IP Address of Management Interface>

    Specifies the IP address of the management interface (default=localhost) on a Security Gateway / Cluster Member.

    Example:

    fwaccel dos rate add -S 192.168.1.101 source any pkt-rate 100000

  • -s <SIC Name>

    Specifies the SIC Name of a VSNext Virtual Gateway / Traditional VSX Gateway / Traditional VSX Cluster Member.

    Example:

    fwaccel dos rate add -S 192.168.1.101 -s my_virtual_system_1 source any pkt-rate 100000

These parameters affect the general behavior of a given policy rule.

Important - If you would like to use these options, you must specify them in the CLI syntax in front of the "<Match Conditions>" or the "<Limit>".

Parameter

Description

-t <Timeout>

Automatically deletes the rule after the specified number of seconds.

Default value: None

Example:

fwaccel dos rate add -t 2 source any pkt-rate 100000

-a {d | n | b}

Specifies the action.

One of these:

  • -a d

    -action drop

    Drop all packets that violate this rule (this is the default).

  • -a n

    -action notify

    Notify, but do not drop packets that violate this rule (meaning, Monitor-only mode).

  • -a b

    -action bypass

    Bypass DoS / Rate Limiting policy for all packets that match this rule (meaning, Allow List).

    Limits and the "track" option are not relevant for bypass rules and should not be specified.

Example:

fwaccel dos rate add -a b source cidr:192.168.0.0/16

-l {r | a}

Specifies the Security Gateway log type:

  • -l r

    -log regular

    Regular log (this is the default).

  • -l a

    -log alert

    Alert.

Example:

fwaccel dos rate add -l a source any pkt-rate 100000

-n '<Rule Name>'

Specifies the rule name.

Important - The quote marks (single or double) are mandatory.

Example:

fwaccel dos rate add -n "This is a Rule Name" source any pkt-rate 100000

-c '<Comment>'

Specifies the tule comment.

Important - The quote marks (single or double) are mandatory.

Example:

fwaccel dos rate add -c "This is a Comment" source any pkt-rate 100000

-o '<Originator>'

Specifies the rule originator.

Important - The quote marks (single or double) are mandatory.

Example:

fwaccel dos rate add -o "John Doe" source any pkt-rate 100000

-f <Security Gateway>

Specifies the Security Gateway on which to enforce this rule.

Typically this option is only used when administrating rules remotely.

Valid values are:

  • "all"

    Enforce this rule on all Security Gateways (this is the default).

  • <Name of Security Gateway Object>

    Enforce this rule on the specified Security Gateway.

  • <Name of Network Group Object>

    Enforce this rule on all Security Gateways listed in the specified Network Group object.

Example:

fwaccel dos rate add -S 192.168.1.101 -f test_gateway_1 source any pkt-rate 100000

Rate limiting policy rules can specify 3 different types of match conditions:

  • Source IP address

  • Destination IP address

  • IP protocol, or IP Protocol + destination port

If a type of match condition is not specified, it defaults to "any", but at least one source or destination match condition must be included in the rule.

If a source match condition or a destination match condition does not have a format specified, it defaults to "cidr:" or "range:".

Multiple match conditions can be combined to match specific network traffic.

The 3 different types of match conditions are described below:

  • Source Match Condition

  • Destination Match Condition

  • Service Match Condition

The source match conditions are used to specify which source IP addresses match the rule.

The default value is "any".

Source Description

any

Any/all source IP addresses match this DoS / Rate Limiting rule.

This is the default if no source match condition is specified.

Example:

fwaccel dos rate add source any pkt-rate 100000

range:<MIN>[-<MAX>]

Specifies a range of IP addresses.

If <MAX> is not specified, then the range represents a single IP address.

Example:

fwaccel dos rate add source range:10.0.0.1-10.0.0.254 pkt-rate 100000

cidr:<ADDRESS>[/<MASK>]

Specifies a network using the CIDR notation.

If the mask parameter is not provided, then the expression represents a specific host address.

Example:

fwaccel dos rate add source cidr:10.0.0.0/24 service 6/22 pkt-rate 100000

cc:<COUNTRY_CODE>

Note - This parameter is not supported (Known Limitation PMTR-87460).

Two-letter code defined in ISO 3166-1 alpha-2.

The rule matches the country code to the IP addresses assigned to this country, based on the Geo IP database.

Example:

fwaccel dos rate add source cc:US pkt-rate 100000

asn:<AUTONOMOUS_SYSTEM_NUMBER>

Note - This parameter is not supported (Known Limitation PMTR-87460).

Valid value syntax is ASnnnn, where nnnn is a number unique to the specific organization.

The rule matches the AS number of the organization to the IP addresses that are assigned to this organization, based on the Geo IP database.

Example:

fwaccel dos rate add source asn:AS1234 pkt-rate 100000

source-negated {true | false}

If not specified, the default is "false".

When set to "true", it inverts the match condition such that the rule matches all source IP addresses except for the given value.

Example:

fwaccel dos rate add source-negated true source cidr:10.0.0.0/8 pkt-rate 100000

The destination match conditions are used to specify which destination IP addresses match the rule.

The default value is "any".

Destination Description

any

Any/all source IP addresses match this DoS / Rate Limiting rule.

This is the default if no source match condition is specified.

Example:

fwaccel dos rate add destination any pkt-rate 100000

range:<MIN>[-<MAX>]

Specifies a range of IP addresses.

If <MAX> is not specified, then the range represents a single IP address.

Example:

fwaccel dos rate add destination range:10.0.0.1-10.0.0.254 pkt-rate 100000

cidr:<ADDRESS>[/<MASK>]

Specifies a network using the CIDR notation.

If the mask parameter is not provided, then the expression represents a specific host address.

Example:

fwaccel dos rate add destination cidr:10.0.0.0/24 service 6/22 pkt-rate 100000

cc:<COUNTRY_CODE>

Note - This parameter is not supported (Known Limitation PMTR-87460).

Two-letter code defined in ISO 3166-1 alpha-2.

The rule matches the country code to the IP addresses assigned to this country, based on the Geo IP database.

Example:

fwaccel dos rate add destination cc:US pkt-rate 100000

asn:<AUTONOMOUS_SYSTEM_NUMBER>

Note - This parameter is not supported (Known Limitation PMTR-87460).

Valid value syntax is ASnnnn, where nnnn is a number unique to the specific organization.

The rule matches the AS number of the organization to the IP addresses that are assigned to this organization, based on the Geo IP database.

Example:

fwaccel dos rate add destination asn:AS1234 pkt-rate 100000

source-negated {true | false}

If not specified, the default is "false".

When set to "true", it inverts the match condition such that the rule matches all source IP addresses except for the given value.

Example:

fwaccel dos rate add destination-negated true destination cidr:10.0.0.0/8 pkt-rate 100000

The service match conditions are used to specify which network services (meaning, <ipproto>:<port>) match the rule.

The default value is any protocol, any port.

Service Description

any

All IP protocols and ports match this DoS / Rate Limiting rule.

This is the default if no service match condition is specified.

Example:

fwaccel dos rate add source cidr:10.0.0.0/8 service any pkt-rate 100000

<PROTO>

IANA IP Protocol number. See IANA Protocol Numbers.

For example, "6" for TCP.

Causes this rule to apply only to the given protocol .

Valid values are 1 through 255.

Example:

fwaccel dos rate add source cidr:10.0.0.0/8 service 1 pkt-rate 100000

<MIN_PROTO>-<MAX_PROTO>

For example, "1-6" would specify all IP protocols with numbers between 1 and 6.

Causes this rule to match all protocol numbers within the given range.

Example:

fwaccel dos rate add source cidr:10.0.0.0/8 service 1-6 pkt-rate 100000

<PROTO>/<PORT>

Only valid for the TCP and UDP protocols.

Causes the rule to match the specific IP protocol and destination port number.

Example:

fwaccel dos rate add source cidr:10.0.0.0/8 service 6/22 pkt-rate 100000

<PROTO>/<MIN_PORT>-<MAX_PORT>

Only valid for the TCP and UDP protocols.

Causes the rule to match the specific IP protocol, and range of destination port numbers.

Example:

fwaccel dos rate add source cidr:10.0.0.0/8 service 6/0-1024 pkt-rate 100000

service-negated {true | false}

If not specified, the default is "false".

When set to "true", it inverts the match condition such that the rule matches all services/ports except for the given value.

Example:

fwaccel dos rate add source cidr:10.0.0.0/8 service-negated true service 6/0-1024 pkt-rate 100000

The limit defines the trigger threshold for a policy rule (for example, maximum allowable packets-per-second).

Only a single limit is allowed for each rule.

Limit Description

concurrent-conns

Maximum number of simultaneously active connections allowed by this rule.

Example:

fwaccel dos rate add source cidr:10.0.0.0/8 service 6/22 concurrent-conns 5000

concurrent-conns-ratio

Limit the maximum number of connections to a percentage of the total number of active connections passing through the Security Gateway.

The value is expressed as a ratio in parts-per-65536.

For example, a value of 6553, would allow a ratio of about 10%.

Note - To prevent false positives, a global minimum of 1000 connections must be simultaneously active (within the specific Security Gateway) before this limit will activate.

Example:

fwaccel dos rate add source cidr:10.0.0.0/8 service 6/22 concurrent-conns-ratio 6553

new-conn-rate

Maximum number of connections-per-second allowed by this rule.

The minimum value is 1.

Example:

fwaccel dos rate add source cidr:10.0.0.0/8 service 6/22 new-conn-rate 100

new-conn-rate-ratio

Limit the maximum connections-per-second to a percentage of the total connections-per-second passing through the Security Gateway.

The value is expressed as a ratio in parts-per-65536.

For example, a value of 6553, would allow a ratio of about 10%.

Note - To prevent false positives, a global minimum of 100 new connections-per-second must flow through the Security Gateway before this limit will activate.

Example:

fwaccel dos rate add source cidr:10.0.0.0/8 service 6/22 new-conn-rate-ratio 6553

pkt-rate

Maximum number of packets-per-second allowed by this rule.

A value of zero will block all traffic that matches this rule.

Example:

fwaccel dos rate add source cidr:10.0.0.0/8 service 6/22 pkt-rate 5000

pkt-rate-ratio

Limit the maximum packets-per-second to a percentage of the total packets-per-second passing through the Security Gateway.

The value is expressed as a ratio in parts-per-65536.

For example, a value of 6553, would allow a ratio of about 10%.

Note - To prevent false positives, a global minimum of 1000 packets-per-second must flow through the Security Gateway before this limit will activate.

Example:

fwaccel dos rate add source cidr:10.0.0.0/8 service 6/22 pkt-rate-ratio 6553

byte-rate

Maximum number of bytes-per-second allowed by this rule.

A value of zero will block all traffic that matches this rule.

Example:

fwaccel dos rate add source cidr:10.0.0.0/8 service 6/22 byte-rate 500000

byte-rate-ratio

Limit the maximum bytes-per-second to a percentage of the total bytes-per-second passing through the Security Gateway.

The value is expressed as a ratio in parts-per-65536.

For example, a value of 6553, would allow a ratio of about 10%.

Note - To prevent false positives, a global minimum of 100000 bytes-per-second must flow through the Security Gateway before this limit will activate.

Example:

fwaccel dos rate add source cidr:10.0.0.0/8 service 6/22 byte-rate-ratio 6553

The tracking mode controls how the limits are applied to traffic that matches the rule.

Tracking Mode Description

Default (no tracking)

The all traffic matching the rule is blocked if the rule is violated

Example:

fwaccel dos rate add source cidr:10.0.0.0/8 service 6/22 new-conn-rate 100

source

Each source IP address is tracked separately.

If traffic from a given source IP address violates this rule, only that source IP address is blocked.

Also, one source IP will not affect the rate limit counters of another source IP.

Example:

fwaccel dos rate add source cidr:10.0.0.0/8 service 6/22 new-conn-rate 100 track source

source-service

Each source IP address plus service is tracked separately.

If traffic from a given source IP and service violates this rule, only that specific service and source IP are blocked.

Other services from the same source IP are unaffected by the rule (unless they violate the rule also).

Example:

fwaccel dos rate add source cidr:10.0.0.0/8 service 6/22 new-conn-rate 100 track source-service

destination

Each destination IP address is tracked separately.

If traffic to a given destination IP address violates this rule, only that destination IP address is blocked.

Also, one destination IP will not affect the rate limit counters of another destination IP.

Example:

fwaccel dos rate add source cidr:10.0.0.0/8 service 6/22 new-conn-rate 100 track destination

destination-service

Each destination IP address plus service is tracked separately.

If traffic to a given destination IP and service violates this rule, only that specific service and destination IP are blocked.

Other services for the same destination IP are unaffected by the rule (unless they violate the rule also).

Example:

fwaccel dos rate add source cidr:10.0.0.0/8 service 6/22 new-conn-rate 100 track destination-service

Adding IPv4 rules in a batch mode to the Rate Limiting policy

  1. Add the list of rules to a plain-text file (one rule on each line).

    Remove the "fwaccel dos rate add" command prefix from each rule.

    Example:

    service any source cidr:192.168.2.0/24 pkt-rate 1000

    service any source cidr:192.168.2.17 concurrent-conns 150

  2. Use the batch command to load the file:

    {fwaccel | fwaccel6} dos rate add batch /<Path>/<Name of File>

    Example:

    fwaccel dos rate add batch /var/log/rule_config.txt

Viewing information about the rules the Rate Limiting policy

Syntax:

{fwaccel | fwaccel6} dos rate

      get --help

      get {-r | -l | -o /<Path>/<Name of File>}

      get [-n] -u '<Rule UID>'

      get [-n] -k <Search Key>

      get [-n] -v <Search Value>

      get --show-tab

      get --show-counters

Parameters:

Parameter Description

--help}

Shows the applicable built-in usage.

-r

Shows parameters of each rule in the legacy form - each entire rule on a separate line.

This is the default output format.

Example:

operation=add uid=<66b101e7,00000000,cd18e2cd,000019bf> target=all timeout=none action=drop log=regular source=cidr:192.168.17.2 service=6/22 concurrent-conns=5

-l

Shows parameters of each rule on separate lines.

Example:

uid
<66b101e7,00000000,cd18e2cd,000019bf>
target
all
timeout
2147483647
action
drop
log
regular
source
cidr:192.168.17.2
service
6/22
concurrent-conns
5

-o /<Path>/<Name of File>

Saves the output in the specified file.

Format of the rules will be similar to what is expected to add rules in the Batch Mode.

-n

Negates the search expression.

-u '<Rule UID>'

Specifies the Rule UID to show only a specific rule.

Important - The quote marks (single or double) and angle brackets ('<...>') are mandatory.

To see the UID for each rule, run:

{fwaccel | fwaccel6} dos rate get

-k <Search Key>

The search key.

One of these:

  • source
  • destination
  • service
  • concurrent-conns
  • concurrent-conns-ratio
  • pkt-rate
  • pkt-rate-ratio
  • byte-rate
  • byte-rate-ratio
  • new-conn-rate
  • new-conn-rate-ratio

-v <Search Value>

Specifies the search value.

--show-tab

Also shows the output of the "fwaccel tab" command. See fwaccel tab.

--show-counters

Also shows the output of the "fwaccel dos rate counters" command.

Examples:

  • Show all DoS / Rate Limiting rules:

    [Expert@MyGW:0]# fwaccel dos rate get

    fwaccel dos rate add -i '<66b101e7,00000000,cd18e2cd,000019bf>' -action drop -log regular source cidr:192.168.17.2 service 6/22 concurrent-conns 5

    fwaccel dos rate add -i '<66ad0499,00000000,cd18e2cd,0000677f>' -action notify -log regular source cidr:10.10.10.10 pkt-rate 20 service any

    fwaccel dos rate add -i '<66ad0470,00000000,cd18e2cd,00006683>' -action notify -log regular source cidr:1.1.1.10 pkt-rate 20 service any

    (3 rules found)

    [Expert@MyGW:0]#

  • Show all DoS / Rate Limiting rules other than ("not") rules with the source value of "cidr:1.1.1.10":

    [Expert@MyGW:0]# fwaccel dos rate get -n -k source -v cidr:1.1.1.10

    fwaccel dos rate add -i '<66b101e7,00000000,cd18e2cd,000019bf>' -action drop -log regular source cidr:192.168.17.2 service 6/22 concurrent-conns 5

    fwaccel dos rate add -i '<66ad0499,00000000,cd18e2cd,0000677f>' -action notify -log regular source cidr:10.10.10.10 pkt-rate 20 service any

    (2 rules found)

    [Expert@MyGW:0]#

  • Show all DoS / Rate Limiting rules with the service value of "6/22":

    [Expert@MyGW:0]# fwaccel dos rate get -k service -v 6/22

    fwaccel dos rate add -i '<66b101e7,00000000,cd18e2cd,000019bf>' -action drop -log regular source cidr:192.168.17.2 service 6/22 concurrent-conns 5

    (1 rules found)

    [Expert@MyGW:0]#

Viewing DoS / Rate Limiting Counters

Syntax:

{fwaccel | fwaccel6} dos rate

      counters --help

      counters

      counters '<Rule Index>'

      counters '<Rule UID>'

Parameters:

Parameter Description

--help}

Shows the applicable built-in usage.

counters '<Rule Index>'

Shows counters for the specified rule.

The "<Rule Index>" value is assigned automatically when you add a rule - this is the rule's ordinal number.

To see the Index for each rule, run:

{fwaccel | fwaccel6} dos rate get

Notes:

  • The count starts from the top from the number one.

  • Use the special Rule Index value "0" to see the global counters.

    These counters are used for ratio calculations.

    For example, when a rule includes a "pkt-rate-ratio" limit.

counters '<Rule UID>'

Shows counters for the specified rule.

The "<Rule Index>" value is assigned automatically when you add a rule.

To see the UID for each rule, run:

{fwaccel | fwaccel6} dos rate get

Notes:

Examples:

  • Show the global counters (the Rule Index "0"):

    [Expert@MyGW:0]# fwaccel dos rate counters 0
(Global Counters)
Concurrent Connections             0
Connection Rate                    0
Packets                            0
Bytes                              0
[Expert@MyGW:0]#

  • Show counters for the rule with the Rule Index "1":

    [Expert@MyGW:0]# fwaccel dos rate counters 1

Rule UID                           <66b101e7,00000000,cd18e2cd,000019bf>
Policy                             1
FW Index                           1
SecureXL Index                     1
Timeout                            unlimited
Max Concurrent Connections         5
New Connection Rate                unlimited
Packet Rate                        unlimited
Byte Rate                          unlimited
Max Concurrent Connections Ratio   unlimited
New Connection Rate Ratio          unlimited
Packet Rate Ratio                  unlimited
Byte Rate Ratio                    unlimited
Action                             drop
Log Type                           regular
Concurrent Connections             0
Connection Rate                    0
Packets                            0
Bytes                              0
Packets Dropped                    0 (since ratelimiting policy installed)
Packets Matched                    0 (since ratelimiting policy installed)
Violated Limits                    (none)
[Expert@MyGW:0]#