Hello,
From time to time some legitimate hosts/networks falls into SAM :-(. Is it possible to enter SAM rules exception (the same idea as in IPS network exceptions)?
Best regards
Mariusz
CPUG: The Check Point User Group | |
Resources for the Check Point Community, by the Check Point Community.
| |
Tim Hall has done it again! He has just released the 2nd edition of "Max Power". | |
|
Hello,
From time to time some legitimate hosts/networks falls into SAM :-(. Is it possible to enter SAM rules exception (the same idea as in IPS network exceptions)?
Best regards
Mariusz
It is better to not use SAM at all. However, you can create an indefinite SAM rule allowing traffic for your legitimate hosts. Main issue here, it sits before any other policy rule. I would avoid that by any mean if I were you
Suspicious Activity Rules were originally intended to be used temporarily in an IDS intruder shunning situation and to be fast-acting (i.e. a policy install is not required to enforce them). There is no way to define an exception to these that I can see.
If you ever want to play a joke on your arrogant colleague who claims to know everything about Check Point (and lets you know about it daily), add a SAM rule via SmartView Monitor for his workstation address source IP, set the Action to Drop, and Track to None. :-) Nothing short of a "fw ctl zdebug drop" can uncover why the heck he can't seem to pass any traffic through the firewall. And even the zdebug saying "SAM drop" or whatever may not mean anything to your colleague if he is not aware of the SAM mechanism...
Who needs to use SmartView Monitor for this when you can use "fw sam" to do this?
http://phoneboy.org
Unless otherwise noted, views expressed are my own
Bookmarks