fwaccel ranges

In the R81.10.X releases, this command is available starting from the R81.10.00 version.

Description

The "fwaccel ranges" and "fwaccel6 ranges" commands show the SecureXL loaded ranges:

  • Ranges of Rule Base source IP addresses

  • Ranges of Rule Base destination IP addresses

  • Ranges of Rule Base destination ports and protocols

The Security Gateway creates these ranges during the policy installation.

The Firewall creates and offloads ranges to SecureXL when any of these feature is enabled:

  • Rulebase ranges for Drop Templates

  • Anti-Spoofing enforcement ranges on per-interface basis

  • NAT64 ranges

  • NAT46 ranges

These ranges are related to matching of connections to SecureXL Drop Templates.

These ranges represent the Source, Destination and Service columns of the Rule Base.

These ranges are not exactly the same as the Rule Base, because as there are objects that cannot be represented as real (deterministic) IP addresses.

For example, Domain objects and Dynamic objects.

The Security Gateway converts such non-deterministic objects to "Any" IP address.

In addition, implied rules are represented in these ranges, except for some specific implied rules.

You can use these commands for troubleshooting.

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Syntax for IPv4

fwaccel ranges

      -h

      -a

      -l

      -p <Range ID>

      -s <Range ID>

Syntax for IPv6

fwaccel6 ranges

      -h

      -a

      -l

      -p <Range ID>

      -s <Range ID>

Parameters

Parameter

Description

-h

Shows the applicable built-in usage.

-a

or

No Parameters

Shows the full information for all loaded ranges.

Note - In the list of SecureXL Drop Templates (output of the fwaccel templates command), each Drop Template is assembled from ranges indexes. To see mapping between range index and the range itself, run this command "fwaccel ranges -a". This way you understand better the practical ranges for Drop Templates and when it is appropriate to use them.

-l

Shows the list of loaded ranges:

  • 0 - Ranges of Rule Base source IP addresses

  • 1 - Ranges of Rule Base destination IP addresses

  • 2 - Ranges of Rule Base destination ports and protocols

-p <Range ID>

Shows the full information for the specified range.

-s <Range ID>

Shows the summary information for the specified range.

Examples

[Expert@MyGW]# fwaccel ranges -l
SecureXL device 0:
        0 Rule base source ranges (ip):
        1 Rule base destination ranges (ip):
        2 Rule base dport ranges (port, proto):
[Expert@MyGW]#
 
[Expert@MyGW]# fwaccel ranges
SecureXL device 0:
    Rule base source ranges (ip):
        (0) 0.0.0.0 - 192.168.204.0
        (1) 192.168.204.1 - 192.168.204.1
        (2) 192.168.204.2 - 192.168.204.39
        (3) 192.168.204.40 - 192.168.204.40
        (4) 192.168.204.41 - 192.168.254.39
        (5) 192.168.254.40 - 192.168.254.40
        (6) 192.168.254.41 - 255.255.255.255
    Rule base destination ranges (ip):
        (0) 0.0.0.0 - 192.168.204.0
        (1) 192.168.204.1 - 192.168.204.1
        (2) 192.168.204.2 - 192.168.204.39
        (3) 192.168.204.40 - 192.168.204.40
        (4) 192.168.204.41 - 192.168.254.39
        (5) 192.168.254.40 - 192.168.254.40
        (6) 192.168.254.41 - 255.255.255.255
    Rule base dport ranges (port, proto):
        (0) 0, 0 - 138, 6
        (1) 139, 6 - 139, 6
        (2) 140, 6 - 18189, 6
        (3) 18190, 6 - 18190, 6
        (4) 18191, 6 - 18191, 6
        (5) 18192, 6 - 18192, 6
        (6) 18193, 6 - 19008, 6
        (7) 19009, 6 - 19009, 6
        (8) 19010, 6 - 136, 17
        (9) 137, 17 - 138, 17
        (10) 139, 17 - 65535, 65535
[Expert@MyGW]#
 
[Expert@MyGW]# fwaccel ranges -p 0
SecureXL device 0:
    Rule base source ranges (ip):
        (0) 0.0.0.0 - 192.168.204.0
        (1) 192.168.204.1 - 192.168.204.1
        (2) 192.168.204.2 - 192.168.204.39
        (3) 192.168.204.40 - 192.168.204.40
        (4) 192.168.204.41 - 192.168.254.39
        (5) 192.168.254.40 - 192.168.254.40
        (6) 192.168.254.41 - 255.255.255.255
[Expert@MyGW]#
[Expert@MyGW]# fwaccel ranges -p 1
SecureXL device 0:
    Rule base destination ranges (ip):
        (0) 0.0.0.0 - 192.168.204.0
        (1) 192.168.204.1 - 192.168.204.1
        (2) 192.168.204.2 - 192.168.204.39
        (3) 192.168.204.40 - 192.168.204.40
        (4) 192.168.204.41 - 192.168.254.39
        (5) 192.168.254.40 - 192.168.254.40
        (6) 192.168.254.41 - 255.255.255.255
[Expert@MyGW]#
[Expert@MyGW]# fwaccel ranges -p 2
SecureXL device 0:
    Rule base dport ranges (port, proto):
        (0) 0, 0 - 138, 6
        (1) 139, 6 - 139, 6
        (2) 140, 6 - 18189, 6
        (3) 18190, 6 - 18190, 6
        (4) 18191, 6 - 18191, 6
        (5) 18192, 6 - 18192, 6
        (6) 18193, 6 - 19008, 6
        (7) 19009, 6 - 19009, 6
        (8) 19010, 6 - 136, 17
        (9) 137, 17 - 138, 17
        (10) 139, 17 - 65535, 65535
[Expert@MyGW]#
 
[Expert@MyGW]# fwaccel ranges -s 0
SecureXL device 0:
    List name "Rule base source ranges (ip):", ID 0, Number of ranges 7
[Expert@MyGW]#
[Expert@MyGW]# fwaccel ranges -s 1
SecureXL device 0:
    List name "Rule base destination ranges (ip):", ID 1, Number of ranges 7
[Expert@MyGW]#
[Expert@MyGW]# fwaccel ranges -s 2
SecureXL device 0:
    List name "Rule base dport ranges (port, proto):", ID 2, Number of ranges 11
[Expert@MyGW]#