SAM rules are occasionally not deleted in SmartView Monitor

Support Center > Search Results > SecureKnowledge Details

Solution ID	sk110157
Product	Security Gateway, ClusterXL, Cluster - 3rd party
Version	R77, R77.10, R77.20, R77.30
Platform / Model	All
Date Created	25-Feb-2016
Last Modified	27-Nov-2018

Symptoms

SAM rules are occasionally not deleted in SmartView Monitor:
1. In SmartView Monitor, go to Tools menu - click on Suspicious Activity Rules...
2. Add the desired rules
3. Select the SAM rule you wish to delete - click on Remove button
4. This SAM rule still appears in this Enforced Suspicious Activity Rules window
SmartView Tracker log shows that the selected SAM rule was cancelled (i.e., deleted):
sys_message: Cancelled the following dynamic (SAM) rule: ...
Output of the fw sam -v -M -j all command on the Security Gateway still shows the selected SAM rule.
Deleting all SAM rules at once works correctly:
- In SmartView Monitor - Tools menu - click on Suspicious Activity Rules... - click on Remove All button
- On Security Gateway, run the fw sam -v -D command

Cause

Duplicate SAM rules exist in the SAM database on the Security Gateway. Therefore, clicking on the "Remove" button removes only one rule instance.

Note: By the current design, since the Enforced Suspicious Activity Rules window provides a display of the currently enforced rules, if the system administrator adds a rule that is shadowed by another rule, the shadowed rule remains hidden. For example, if a rule was defined for dropping all HTTP traffic and an additional rule is defined for rejecting HTTP traffic, then only the drop rule, which is the dominant rule, will be displayed.

Solution

Note: To view this solution you need to Sign In .