CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 7 of 7

Thread: SAM rule expiration sorting

  1. #1
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    265
    Rep Power
    12

    Default SAM rule expiration sorting

    In SmartView Monitor, SAM rules list their expiration dates as '%R %B %d, %Y'. This expands to "hour:minute monthName zeroPaddedDayOfMonth, yearWithCentury". Sorting on this column is done in strict alphabetical order, which results in strange orderings:

    09:47 April 03, 2018
    09:52 March 31, 2018
    10:04 April 04, 2018
    10:07 April 02, 2018

    I suspect nobody has ever wanted this ordering of expiration dates.

    Please change the display of the expiration date to ISO 8601 format: '%FT%R', which expands to 'yearWithCentury-month-dayOfMonth', a letter T, then 'hour:minute', all with zero-padding as needed. This should cause them to sort properly with no added sorting logic.
    Zimmie

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,486
    Rep Power
    16

    Default Re: SAM rule expiration sorting

    I'm curious how many people actually use fw sam rules.
    It's an older feature for sure.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  3. #3
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    265
    Rep Power
    12

    Default Re: SAM rule expiration sorting

    I use them mostly as part of SmartEventís automatic responses.

    Iím also working on giving my companyís incident response team access to create SAM rules to lower the latency in urgent blacklist requests. The current process involves IR opening a ticket, then waiting on a whole different part of the company (IR is under CISO, people who push firewall rules are under CTO; wildly different top-level incentives) to process it. Weíre working on upgrading to R80-family to take advantage of the more granular permissions, but we still have some old firewalls R80 no longer supports.
    Zimmie

  4. #4
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    7

    Default Re: SAM rule expiration sorting

    Quote Originally Posted by PhoneBoy View Post
    I'm curious how many people actually use fw sam rules.
    It's an older feature for sure.
    I am another who is using it most. Infact all that noise over internet is being dropped because of that.

  5. #5
    Join Date
    2007-10-31
    Location
    Great Plains - USA
    Posts
    158
    Rep Power
    12

    Default Re: SAM rule expiration sorting

    Quote Originally Posted by PhoneBoy View Post
    I'm curious how many people actually use fw sam rules.
    It's an older feature for sure.
    Used with good results in our environment (R77.30). As with post by Zimmie, our heaviest usage is the integration with SmartEvent.

  6. #6
    Join Date
    2012-08-16
    Posts
    181
    Rep Power
    7

    Default Re: SAM rule expiration sorting

    I use SAM rules quite a bit - as others have said with SmartEvent reactions. Also using CPDBL for fw samp.

  7. #7
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,229
    Rep Power
    13

    Default Re: SAM rule expiration sorting

    Anyone still using block rules via fw sam and/or the Smartview Monitor should definitely check out the capabilities of fw samp if SecureXL is enabled. Drops are enforced very early in SecureXL thus avoiding the overhead going into the Firewall Path (F2F) where fw sam rules are enforced; great for killing massive flooding attacks with minimal impact on CPU utilization. There are a crapload of other features in fw samp as well including packet/bandwidth limits, total/new connections limits, blocking by geographic country, etc:

    Click image for larger version. 

Name:	samp.jpg 
Views:	27 
Size:	98.3 KB 
ID:	1387

    Right now fw samp can only be accessed from the CLI, but I seem to recall hearing there may be something on the roadmap to make this feature accessible through some kind of GUI.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

Similar Threads

  1. CCSE+ expiration
    By cp-math in forum CCSE Plus NGX Exam 156-515 (No Longer Offered)
    Replies: 1
    Last Post: 2009-06-08, 10:00
  2. DNS fast expiration
    By vadi_ag in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 0
    Last Post: 2009-02-02, 06:04
  3. certificate expiration
    By foo727 in forum Authentication
    Replies: 0
    Last Post: 2008-09-03, 10:02
  4. certification expiration
    By ursule15 in forum CCSE NGX Exam 156-315.1 (No Longer Offered)
    Replies: 3
    Last Post: 2008-01-20, 20:06
  5. Sorting by source in tracker
    By navi101 in forum SmartView Tracker
    Replies: 1
    Last Post: 2007-06-28, 10:26

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •