fwaccel dos deny

Description

The "fwaccel dos deny" (for IPv4) and "fwaccel6 dos deny" (for IPv6) commands control the IP deny-list in SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway..

The deny-list blocks all traffic to and from the specified IP addresses.

The deny-list drops occur in SecureXL, which is more efficient than an Access Control Policy to drop the packets.

Important:

By default, the IP deny-list feature is enabled, without a Rate Limiting policy.
By design, if you change the IP addresses in the Deny List with command line options and not through the corresponding files in the $FWDIR/conf/deny_lists/ directory, then these changes do not survive a reboot.
The Deny List scales up to millions of IP addresses.
To enforce the IP deny-list in SecureXL, you must first enable the IP deny-lists.

See these commands:
- fwaccel dos config
- fw sam_policy (configures more granular rules)
In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.
On Scalable Platforms, you must connect to the applicable Security Group A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected..

On Scalable Platforms (ElasticXL, Maestro, Scalable Chassis The container that contains the all the components of a 60000 / 40000 Appliance. Synonym: Chassis.), you must run the required commands only in this way:
- On the Security Group command line, only on the SMO Security Group Member Member of a Security Group in ElasticXL Cluster, Maestro, and Scalable Chassis. Acronym: SGM..
- In the Global Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). (gclish), must run these commands:
  - fwaccel dos <Options>
  - fwaccel6 dos <Options>
- In the Expert mode, must run these commands (start with the "g_" prefix):
  - g_fwaccel dos <Options>
  - g_fwaccel6 dos <Options>
In the VSNext mode / Traditional VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode, you must go to the context of an applicable Virtual Gateway / Virtual System.
- In Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Clish, run: set virtual-system <VSID>
- In the Expert mode, run: vsenv <VSID>

Syntax

{fwaccel | fwaccel6} dos deny

{-h | --help}

allow

{-h | --help}

{-a | --add} <IP Address>[/<Subnet Mask Length>]

{-d | --delete} <IP Address>[/<Subnet Mask Length>]

{-F | --flush}

{-l | --load} /<Path>/<Name of File>

{-s | --show}

{-a | --add} <IP Address>

{-c | --show-config}

{-d | --delete} <IP Address>

{-E | --set-enabled} {on | off}

{-F | --flush}

{-G | --set-log-drops} {on | off}

{-I | --set-enforce-internal} {on | off}

{-l | --load} /<Path>/<Name of File>

{-L | --load-default}

{-M | --set-monitor-only} {on | off}

{-N | --set-name} "<Name of IP Deny-list>"

{-O | --set-notif-rate} <Number>

{-R | --set-tcp-rst} {on | off}

{-s | --show}

Parameters

Parameter

Description

No Parameters

Shows the applicable built-in usage.

-h

--help}

Shows the applicable built-in usage.

allow <options>

Adds an IP address of a host or a network to a persistent "Allow List", so this IP address is not affected by the DoS / Rate Limiting protection:

-h

--help

Shows the applicable built-in usage.

-a <IP Address>[/<Subnet Mask Length>]

--add <IP Address>[/<Subnet Mask Length>]

Add an IP address in the CIDR notation to the override allow-list.

<IP Address>

The IP address of a network or a host.

/<Subnet Mask Length>

Must specify the length of the subnet mask from /1 to /32.

Optional for a host IP address.

Mandatory for a network IP address.

Important - If you do not specify the subnet mask length explicitly, this command uses the subnet mask length /32.

-d <IP Address>[/<Subnet Mask Length>]

--delete <IP Address>[/<Subnet Mask Length>]

Deletes an IP address in the CIDR notation from the override allow-list.
-F

--flush

Removes (flushes) all IP addresses from the override allow-list.
-l /<Path>/<Name of File>

--load /<Path>/<Name of File>

Loads the IP addresses into the override allow-list from the specified file.

This file must contain IP addresses of hosts or networks in the CIDR notation, each IP address on a new line.
-s

--show

Shows the configured allow-list.

-a <IP Address>

--add <IP Address>

Adds the specified IP address to the deny-list.

Note - To add more than one IP address, run this command for each applicable IP address.

-c

--show-config

Shows the current configuration.

-d <IP Address>

--delete <IP Address>

Removes the specified IP addresses from the deny-list.

Note - To remove more than one IP address, run this command for each applicable IP address.

-E {on | off}

--set-enabled {on | off}

Enables (on) or disables (off) the feature.

Notes:

By default, the IP deny-list feature is enabled without a Rate Limiting policy.
This change survives a reboot.

-F

--flush

Removes (flushes) all IP addresses from the IP deny-list.

Notes:

You can use this parameter "{-F | --flush}" with the parameter "{-a | --add}".
You can use this parameter "{-F | --flush}" with the parameter "{-d | --delete}".
You can use this parameter "{-F | --flush}" with the parameter "{-l | --load}".

-G {on | off}

--set-log-drops {on | off}

Enables (on) or disables (off) the logging of packet drops.

Notes:

By default, the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. generates the "Drop" logs for traffic that the DoS / Rate Limiting feature blocked.
By default, logging of packet drops is enabled.

-I {on | off}

--set-enforce-internal {on | off}

Enables (on) or disables (off) the enforcement on interfaces, whose topology is configured as "Internal" in the Security Gateway object.

Notes:

By default, DoS / Rate Limiting enforcement is disabled on interfaces, for which you configured the "Internal" topology in the Security Gateway / Cluster object.

This is because the internal interfaces are assumed to be connected to trusted networks.
This change survives a reboot.

-l /<Path>/<Name of File>

--load /<Path>/<Name of File>

Loads the IP addresses from the specified file.

When dealing with large deny lists, the "add" command is cumbersome.

Running a large number of "add" commands simultaneously (for example, with a shell script) can cause additional load on the Security Gateway's CPU.

To configure large deny lists, it is better to add the list of IP addresses in a file, and then load the file in a single operation.

Notes:

This file must contain IP addresses of hosts or networks in the CIDR notation, each IP address on a new line.
To add a comment line, it must start with the pound character "#".
The "fwaccel" command silently ignores all IPv6 addresses in the file.
The "fwaccel6" command silently ignores all IPv4 addresses in the file.
You may load multiple files at the same time.

-L

--load-default}

Load all files from the $FWDIR/conf/deny_lists/ directory into the IP deny-list.

Note - The Security Gateway runs this command automatically during each boot.

-M {on | off}

--set-monitor-only {on | off}

Enables (on) or disables (off) the monitor-only mode for the IP deny-list.

In the monitor-only mode you can test the IP deny-list without blocking the traffic.

The Security Gateway does not block traffic, but still generates a log.

Notes:

By default, the monitor-only mode is disabled.
This change survives a reboot.
This command affects only the IP deny-list (does not affect the fw samp rules, etc.).
In addition to the Monitor-only mode, DoS / Rate Limiting has a more granular option to monitor packets on a rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.-by-rule basis by specifying the action to be "notify" instead of the default action "drop".

-N "<Name of IP Deny-list>"

--set-name "<Name of IP Deny-list>"

Configures the name for the IP deny-list.

This name appears in the Security Gateway logs.

Notes:

The default name is "Deny List".
This change survives a reboot.
Maximum name length is 79 characters.
You must use only ASCII characters.

-O <Number>

--set-notif-rate <Number>

Configures the maximum number of logs per second for packet drops.

When DoS / Rate Limiting blocks many packets, it can be important to limit the maximum number of the drop logs that the Security Gateway generates per second.

Notes:

The default logging rate is 100 logs/second.
This change survives a reboot.

-R {on | off}

--set-tcp-rst {on | off}

Enables (on) or disables (off) the response with the TCP [RST] packet for TCP connections that the IP deny-list blocked.

Notes:

By default, SecureXL does not send the TCP [RST] packet for blocked TCP connections.
This change survives a reboot.

-s

--show

Shows the IP addresses in the IP deny-list.

Example from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos deny -c
Deny List:
    Status                            on (without policy)
    Internal Interfaces               off
    Monitor-Only                      off
    Log Drops                         on
    Max Notifications Per-Second      100 logs/second
    Send TCP Reset                    off
    Name                              Deny List
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
The deny list is empty
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -a 1.1.1.1
Adding 1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
1.1.1.1
[Expert@MyGW:0]# fwaccel dos deny -a 2.2.2.2
Adding 2.2.2.2
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
2.2.2.2
1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -d 2.2.2.2
Deleting 2.2.2.2
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -F
All deny list entries deleted
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
The deny list is empty
[Expert@MyGW:0]#