fwaccel synatk allow

In the R81.10.X releases, this command is available starting from the R81.10.00 version.

Description

The "fwaccel synatk allow" and "fwaccel6 synatk allow" commands control the Accelerated SYN Defender allow-list.

Important - In Cluster, you must configure the Rate Limiting in the same way on all the Cluster Members.

Notes:

  • This allow-list overrides which packet the Accelerated SYN Defender drops. Before you use a 3rd-party or automatic block-lists, add trusted networks and hosts to the allow-list to avoid outages.

  • Also, see the fwaccel dos allow command.

Syntax for IPv4

fwaccel synatk allow

      -a <IPv4 Address>[/<Subnet Prefix>]

      -d <IPv4 Address>[/<Subnet Prefix>]

      -F

      -l /<Path>/<Name of File>

      -L

      -s

Syntax for IPv6

fwaccel6 synatk allow

      -a <IPv6 Address>[/<Subnet Prefix>]

      -d <IPv6 Address>[/<Subnet Prefix>]

      -F

      -l /<Path>/<Name of File>

      -L

      -s

Parameters

Parameter

Description

No Parameters

Shows the applicable built-in usage.

-a <IPv4 Address>[/<Subnet Prefix>]

Adds the specified IPv4 address to the Accelerated SYN Defender allow-list.

  • <IPv4 Address>

    Can be an IPv4 address of a network or a host.

  • <Subnet Prefix>

    Must specify the length of the subnet mask in the format /<bits>.

    Optional for a host IPv4 address.

    Mandatory for a network IPv4 address.

    Range - from /1 to /32.

    Important - If you do not specify the subnet prefix explicitly, this command uses the subnet prefix /32.

Examples:

  • For a host:

    192.168.20.30

    192.168.20.30/32

  • For a network:

    192.168.20.0/24

-a <IPv6 Address>[/<Subnet Prefix>]

Adds the specified IPv6 address to the Accelerated SYN Defender allow-list.

  • <IPv6 Address>

    Can be an IPv6 address of a network or a host.

  • <Subnet Prefix>

    Must specify the length of the subnet mask in the format /<bits>.

    Optional for a host IPv6 address.

    Mandatory for a network IPv6 address.

    Range - from /1 to /128.

    Important - If you do not specify the subnet prefix explicitly, this command uses the subnet prefix /128.

Examples:

  • For a host:

    2001:0db8:85a3:0000:0000:8a2e:0370:7334

    2001:0db8:85a3:0000:0000:8a2e:0370:7334/128

  • For a network:

    2001:cdba:9abc:5678::/64

-d <IPv4 Address>[/<Subnet Prefix>]

Removes the specified IPv4 address from the Accelerated SYN Defender allow-list.

  • <IPv4 Address>

    Can be an IPv4 address of a network or a host.

  • <Subnet Prefix>

    Optional. Must specify the length of the subnet mask in the format /<bits>.

    Optional for a host IPv4 address.

    Mandatory for a network IPv4 address.

    Range - from /1 to /32.

    Important - If you do not specify the subnet prefix explicitly, this command uses the subnet prefix /32.

-d <IPv6 Address>[/<Subnet Prefix>]

Removes the specified IPv6 address from the Accelerated SYN Defender allow-list.

  • <IPv6 Address>

    Can be an IPv6 address of a network or a host.

  • <Subnet Prefix>

    Optional. Must specify the length of the subnet mask in the format /<bits>.

    Optional for a host IPv6 address.

    Mandatory for a network IPv6 address.

    Range - from /1 to /128.

    Important - If you do not specify the subnet prefix explicitly, this command uses the subnet prefix /128.

-F

Removes (flushes) all entries from the Accelerated SYN Defender allow-list.

-l /<Path>/<Name of File>

Loads the Accelerated SYN Defender allow-list entries from the specified plain-text file.

Note - To replace the current allow-list with the contents of a new file, use both the -F and -l parameters on the same command line.

Important:

  • You must manually create and configure this file with the touch or vi command.

  • You must assign at least the read permission to this file with the chmod +x command.

  • Each entry in this file must be on a separate line.

  • Each entry in this file must be in this format:

    <IPv4 Address>[/<Subnet Prefix>]

  • SecureXL ignores empty lines and lines that start with the # character in this file.

-L

Loads the Accelerated SYN Defender allow-list entries from the plain-text file with a predefined name:

$FWDIR/conf/synatk-allow-list-v4.conf

Security Gateway automatically runs these commands "{fwaccel | fwaccel6} synatk allow -L" during each boot.

Note - To replace the current allow-list with the contents of a new file, use both the "-F" and "-L" parameters on the same command line.

Important:

  • This file does not exist by default.

  • You must manually create and configure this file with the touch or vi command.

  • You must assign at least the read permission to this file with the chmod +x command..

  • Each entry in this file must be on a separate line.

  • Each entry in this file must be in this format:

    <IPv4 Address>[/<Subnet Prefix>]

  • SecureXL ignores empty lines and lines that start with the # character in this file.

-s

Shows the current Accelerated SYN Defender allow-list entries.

Example

[Expert@MyGW]# fwaccel synatk allow -a 192.168.20.0/24
[Expert@MyGW]# fwaccel synatk allow -s
192.168.20.0/24
[Expert@MyGW]# fwaccel synatk allow -d 192.168.20.0/24
[Expert@MyGW]#
[Expert@MyGW]# fwaccel synatk allow -a 192.168.40.55
[Expert@MyGW]# fwaccel synatk allow -s
192.168.40.55/32
[Expert@MyGW]# fwaccel synatk allow -d 192.168.40.55