Command Line

[brierw]

Hello,

I am looking for the syntax at the command line to block an individual IP on an R60 Checkpoint Cluster. Anyone help me out with this?

We have Nokia's clustered running Checkpoint R60

[amol0009in_7]

I think u can use Smartdefense if you are already using it.
Or more simple
create access list and apply

[brierw]

I was looking to see if there was a Checkpoint or IPSO way to block at the command line an individual IP. It would likely be easier to block at the command line in the event we were getting attacked and the respurces were high on the firewalls. :)

[melipla]

This command line should be able to do it "fw sam":

Quote:

# fw sam
Usage:
sam [-v] [-s <sam server>] [-S <server sic name>] [-f <fw host>][-t <timeout>] [-l <log>] [-C] [-e <key=val>]+ -{n|i|I|j|J} <criteria>

sam [-v] [-s <sam server>] [-S <server sic name>] [-f <fw host>] -M -ijnbq {<criteria> | all}

sam [-v] [-s <sam server>] [-S <server sic name>] [-f <fw host>] -D

Options:
-C: Cancel
-M: Monitor
-D: Delete all
-v: Verbose
-s: Server for connection
-S: SIC name of server
-f: Name of target host/group
-t: Timeout in seconds
-l: Either nolog, long_noalert or long_alert
-e: Rule information. Keys are: name, comment and originator
-i: Reject
-I: Reject and close
-j: Drop
-J: Drop and close
-n: Notify

Criteria:
src <ip>
dst <ip>
any <ip>
subsrc <ip> <net mask>
subdst <ip> <net mask>
subany <ip> <net mask>
srcdst <src ip> <dst ip>
srv <src ip> <dst ip> <service> <protocol>
subsrv <src ip> <net mask> <dst ip> <net mask> <service> <protocol>
subsrvs <src ip> <net mask> <dst ip> <service> <protocol>
subsrvd <src ip> <dst ip> <net mask> <service> <protocol>
srvpr <service> <protocol>
srcsrv <src ip> <service> <protocol>
dstsrv <dst ip> <service> <protocol>
subdstsrv <dst ip> <net mask> <service> <protocol>
srcpr <ip> <protocol>
dstpr <ip> <protocol>
subsrcpr <ip> <net mask> <protocol>
subdstpr <ip> <net mask> <protocol>
generic <key=val>+
#

If I remember correctly, if you don't specify a firewall host, it will attempt to apply the SAM (suspicious activity monitoring) to every firewall.

[vijayant]

This will be in addition to the existing rule base or will replace that ?

[Thorpuse]

Quote:

Originally Posted by vijayant

This will be in addition to the existing rule base or will replace that ?

In addition. IIRC, SAM rules are processed before the rulebase (rule 0, essentially).

[MoreBeer]

I always loved blackhole routing problem children in the past. fw sam seems to work a lot better than it did in 4.1/NG however.

[varera]

just my $0.05

use "fw sam..." with caution. you don't see the rules it makes in the rulebase, and you have to know you need to go to SVM to see them.

use the command with logging option, it will help with further troubleshooting.