CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 14 of 14

Thread: fw samp in Bridge mode not working

  1. #1
    Join Date
    2012-06-13
    Posts
    343
    Rep Power
    6

    Default fw samp in Bridge mode not working

    Hi Guys,

    If someone please confirm fw samp rules can be enforced in Bridge mode? I mean for testing purpose I setup bridge mode and blocking certain IPs.

  2. #2
    Join Date
    2014-09-07
    Posts
    14
    Rep Power
    0

    Default Re: fw samp in Bridge mode not working

    Quote Originally Posted by blason View Post
    Hi Guys,

    If someone please confirm fw samp rules can be enforced in Bridge mode? I mean for testing purpose I setup bridge mode and blocking certain IPs.
    Hi blason

    Logically this should work, as even though this is treated as Layer 2 the frames going through the bridge still contain the IP header and thus SAMP could be used to block specific sources.
    Having said that I will consult our SMEs about it and provide a formal answer and add the information to our documentation.

    HTH,
    Uri

  3. #3
    Join Date
    2012-06-13
    Posts
    343
    Rep Power
    6

    Default Re: fw samp in Bridge mode not working

    Quote Originally Posted by urilewi View Post
    Hi blason

    Logically this should work, as even though this is treated as Layer 2 the frames going through the bridge still contain the IP header and thus SAMP could be used to block specific sources.
    Having said that I will consult our SMEs about it and provide a formal answer and add the information to our documentation.

    HTH,
    Uri
    You seems to be CP staff, are you? Well I tried that setup but dang its not blocking. And do we need provide IP address to Bridge mode? I mean wondering if I pull interfaces in CP dashboard where policies will be enforced.

  4. #4
    Join Date
    2014-09-07
    Posts
    14
    Rep Power
    0

    Default Re: fw samp in Bridge mode not working

    Quote Originally Posted by blason View Post
    You seems to be CP staff, are you? Well I tried that setup but dang its not blocking. And do we need provide IP address to Bridge mode? I mean wondering if I pull interfaces in CP dashboard where policies will be enforced.
    Yes, I'm CP staff

    Can you please post the SAMP command you used.
    As I mentioned before it should work as I would expect it to be the same as rulebase enforcement on a GW configured in bridge mode.

    Still validating.

    -Uri

  5. #5
    Join Date
    2012-06-13
    Posts
    343
    Rep Power
    6

    Default Re: fw samp in Bridge mode not working

    Hi There,

    Here is the command I used to block hosts using fw samp. I am using script to block those addresses.

    fw samp add -a d -l r -t $timeout -c $comment quota service any source range:$line pkt-rate 0

    here is the output

    operation=add uid=<5a69edb3,0000129c,040510ac,0000223f> target=all timeout=3443 action=drop log=log comment=CPDBL_isnbotbl_block service=any source=range:158.140.183.3 pkt-rate=0 req_type=quota

    operation=add uid=<5a69edb3,0000129d,040510ac,0000223f> target=all timeout=3443 action=drop log=log comment=CPDBL_isnbotbl_block service=any source=range:158.140.184.126 pkt-rate=0 req_type=quota

  6. #6
    Join Date
    2012-06-13
    Posts
    343
    Rep Power
    6

    Default Re: fw samp in Bridge mode not working

    Hi urilewi,

    Have you had any luck with my query?

  7. #7
    Join Date
    2014-09-07
    Posts
    14
    Rep Power
    0

    Default Re: fw samp in Bridge mode not working

    Quote Originally Posted by blason View Post
    Hi urilewi,

    Have you had any luck with my query?
    Should have an answer for you later today

  8. #8
    Join Date
    2014-09-07
    Posts
    14
    Rep Power
    0

    Default Re: fw samp in Bridge mode not working

    Hi blason

    Took a little longer then I expected
    This definitely works

    The quota rules are not immediately applied to the Security Gateway. They are only registered in the Suspicious Activity Monitoring (SAM) policy database
    To apply all the rules from the policy database immediately, in the fw samp add command syntax, add flush true.

    HTH
    Uri

  9. #9
    Join Date
    2012-06-13
    Posts
    343
    Rep Power
    6

    Default Re: fw samp in Bridge mode not working

    Ahh that could be the thing since I didnt add those.

    Thanks for the revert let me definitely try that and come back to you if I stuck again.

  10. #10
    Join Date
    2012-06-13
    Posts
    343
    Rep Power
    6

    Default Re: fw samp in Bridge mode not working

    Quote Originally Posted by urilewi View Post
    Hi blason

    Took a little longer then I expected
    This definitely works

    The quota rules are not immediately applied to the Security Gateway. They are only registered in the Suspicious Activity Monitoring (SAM) policy database
    To apply all the rules from the policy database immediately, in the fw samp add command syntax, add flush true.

    HTH
    Uri
    BTW is there any limit for fw samp entries/rules? can it handle 60-70k entries at a moment?

  11. #11
    Join Date
    2014-09-07
    Posts
    14
    Rep Power
    0

    Default Re: fw samp in Bridge mode not working

    I'm not sure what you mean by entries
    For rules, I would think that since these rules are eventually rule-based adding 60k/70k rules would be really ineffective, I don't know the number of rules this feature was tested for and I can't imagine such a number ever came up.

    Can you share a scenario in which you would have to use fw samp like that (70K rules)?

    Thanks,
    Uri
    Last edited by urilewi; 2018-02-07 at 17:27.

  12. #12
    Join Date
    2012-06-13
    Posts
    343
    Rep Power
    6

    Default Re: fw samp in Bridge mode not working

    Well if you see if we enable Malicious entries in IPS protection which has a performance impact; that feature can hardly be enabled. Instead I did come up with a idea where we put honeypot on internet and whoever is touching that box automatically that ip address will be added in fw samp rule. Thus I am protecting from Reconn attacks that way my fw samp rules can easily go high upto 40-50k at a time hence wondering what toll it would cause on system?

  13. #13
    Join Date
    2014-09-07
    Posts
    14
    Rep Power
    0

    Default Re: fw samp in Bridge mode not working

    I see what you're saying however, SAMP is not intended for this purpose, it is only for immediate response it would be really ineffective to mange dozens of thousands of rules like this, and it will also be inefficient.
    Furthermore - if you are being attacked simultaneously by 70K different sources the problem is a different one.

    Thanks,
    Uri

  14. #14
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,464
    Rep Power
    15

    Default Re: fw samp in Bridge mode not working

    I will agree with Uri here, fw samp is meant for "immediate" responses to issues without pushing policy.
    If you want to block IPs permanently, it's best to move them into the regular firewall policy at some point.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

Similar Threads

  1. Bridge Mode
    By Paul Douglas in forum R77.30
    Replies: 8
    Last Post: 2016-02-11, 07:41
  2. Bridge mode seems stable
    By jflemingeds in forum Firewall Blade
    Replies: 1
    Last Post: 2016-01-10, 11:29
  3. Bridge Mode
    By Paul Douglas in forum R77.30
    Replies: 0
    Last Post: 2016-01-10, 11:08
  4. I just cannot get R70.1 SPLAT bridge mode working
    By RayPesek in forum Topology Issues
    Replies: 3
    Last Post: 2010-06-16, 21:11
  5. Bridge Mode on VPN-1 NGX
    By srirat in forum Provider-1 (Multi-Domain Management)
    Replies: 3
    Last Post: 2006-08-19, 13:00

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •