Introduction

Accelerated Drop Rules feature protects the Security Gateway and site from Denial of Service attacks by dropping packets at the acceleration layer (Performance Pack).

The drop rules are being configured in a file on the Security Gateway, which is then offloaded to the SecureXL device for enforcement. There is no relation between the rules being configured in the file and the rules configured in SmartDashboard.

The drop rules match is being done after connection and template lookup, so existing connections or new connections that match a template, will continue to pass through the Security Gateway regardless of the drop rules being configured.

To use the feature, run the following command (available only in Gaia / SecurePlatform / Crossbeam OS): [Expert@HostName]# sim dropcfg <options>

Important: this article does not apply to R80.20 and higher - sim dropcfg has been deprecated. Refer to sk112454 

CLI syntax

Command	Description
sim dropcfg	Configures drop parameters (run 'sim dropcfg')
sim dropcfg -h	Prints the help message with available options for 'dropcfg' parameter
sim dropcfg -l	Prints current drop configuration
sim dropcfg -f </path_to/file_name>	Sets drop configuration file
sim dropcfg -e	Enforces drop configuration on the external interface only
sim dropcfg -y	Avoids confirmation
sim dropcfg -r	Resets drop rules

 

(A) Notes about file syntax:

• The configuration file should contain one or more drop rules. One rule per line.
  
  

• Each rule line must contain one or more of the following parameters:

  • src <source_ip_address>/<subnet_mask> - Source IP address/Subnet Mask (Subnet Mask is optional - if not specified, then a single IP address is assumed).
    
    
  • dst <destination_ip_address>/<subnet_mask> - Destination IP address/Subnet Mask (Subnet Mask is optional - if not specified, then a single IP address is assumed).
    
    
  • dport <destination_port> - Destination port.
    
    
  • proto <ip_protocol_number> - IP Protocol (refer to /etc/protocols file or IANA Protocol Numbers ; e.g., TCP=6, UDP=17, ICMP=1).
  
  
  
• Use '*' to specify 'any'. It is the same as not specifying the parameter.
  
  
• You can add comment lines by using '#' at the beginning of the line.
  
  
• Empty lines are ignored

 

(B) Examples:

src 1.1.1.1

src * dport 80 proto 6

src 1.1.1.0/24 dst 2.2.0.0/16 dport 53 proto 17

 

Logging

To generate logs for dropped packets, add the following line to file $PPKDIR/boot/modules/simkern.conf:

sim_track_dropdb=1

Note: the extensive logging could result in higher CPU utilization on the Security Gateway.

 

Limitations

• The drop rules configuration does not survive the reboot. In order to apply the configured drop rules after the reboot, use a startup script (e.g., /etc/rc.d/rc.local) to run "sim dropcfg -f </path_to/file_name>" command automatically during each boot.
  
  
• When using this feature, you cannot define exception list for the Template Quota feature. If exception list would be configured, it will disable the drop rules enforcement. See sk33239 for more details on the Template Quota feature.

 

(5) Related solutions

• sk109960 - "sim dropcfg -l" command incorrectly shows "Enforced on external interfaces only"
• sk32578 - SecureXL Mechanism
• sk71200 - SecureXL NAT Templates
• sk90861 - Optimized Drops feature in R76
• sk98722 - ATRG: SecureXL
• sk98348 - Best Practices - Security Gateway Performance