Support Center > Search Results > SecureKnowledge Details
SAM rules are occasionally not deleted in SmartView Monitor
Symptoms

  • SAM rules are occasionally not deleted in SmartView Monitor:

    1. In SmartView Monitor, go to Tools menu - click on Suspicious Activity Rules...
    2. Add the desired rules
    3. Select the SAM rule you wish to delete - click on Remove button
    4. This SAM rule still appears in this Enforced Suspicious Activity Rules window

  • SmartView Tracker log shows that the selected SAM rule was cancelled (i.e., deleted):
    sys_message: Cancelled the following dynamic (SAM) rule: ...

  • Output of the fw sam -v -M -j all command on the Security Gateway still shows the selected SAM rule.

  • Deleting all SAM rules at once works correctly:
    • In SmartView Monitor - Tools menu - click on Suspicious Activity Rules... - click on Remove All button
    • On Security Gateway, run the fw sam -v -D command
Cause

Duplicate SAM rules exist in the SAM database on the Security Gateway. Therefore, clicking on the "Remove" button removes only one rule instance.

Note: By the current design, since the Enforced Suspicious Activity Rules window provides a display of the currently enforced rules, if the system administrator adds a rule that is shadowed by another rule, the shadowed rule remains hidden. For example, if a rule was defined for dropping all HTTP traffic and an additional rule is defined for rejecting HTTP traffic, then only the drop rule, which is the dominant rule, will be displayed.


Solution
 Note: To view this solution you need to Sign In .