Accelerated Drop Rules Feature

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk67861
Technical Level
Product	SecureXL
Version	R76 (EOL), R77 (EOL), R77.10 (EOL), R77.20, R77.30 (EOL), R80.10 (EOL)
OS	SecurePlatform 2.6, Gaia
Platform / Model	All
Date Created	23-Feb-2012
Last Modified	06-Jul-2020

Solution

Introduction

Accelerated Drop Rules feature protects the Security Gateway and site from Denial of Service attacks by dropping packets at the acceleration layer (Performance Pack).

The drop rules are being configured in a file on the Security Gateway, which is then offloaded to the SecureXL device for enforcement. There is no relation between the rules being configured in the file and the rules configured in SmartDashboard.

The drop rules match is being done after connection and template lookup, so existing connections or new connections that match a template, will continue to pass through the Security Gateway regardless of the drop rules being configured.

To use the feature, run the following command (available only in Gaia / SecurePlatform / Crossbeam OS): [Expert@HostName]# sim dropcfg <options>

Important: this article does not apply to R80.20 and higher - sim dropcfg has been deprecated. Refer to sk112454

CLI syntax

Command	Description
`sim dropcfg`	Configures drop parameters (run '`sim dropcfg`')
`sim dropcfg -h`	Prints the help message with available options for '`dropcfg`' parameter
`sim dropcfg -l`	Prints current drop configuration
`sim dropcfg -f </path_to/file_name>`	Sets drop configuration file
`sim dropcfg -e`	Enforces drop configuration on the external interface only
`sim dropcfg -y`	Avoids confirmation
`sim dropcfg -r`	Resets drop rules

(A) Notes about file syntax:

The configuration file should contain one or more drop rules. One rule per line.
Each rule line must contain one or more of the following parameters:
- src <source_ip_address>/<subnet_mask> - Source IP address/Subnet Mask (Subnet Mask is optional - if not specified, then a single IP address is assumed).
- dst <destination_ip_address>/<subnet_mask> - Destination IP address/Subnet Mask (Subnet Mask is optional - if not specified, then a single IP address is assumed).
- dport <destination_port> - Destination port.
- proto <ip_protocol_number> - IP Protocol (refer to /etc/protocols file or IANA Protocol Numbers ; e.g., TCP=6, UDP=17, ICMP=1).
Use '*' to specify 'any'. It is the same as not specifying the parameter.
You can add comment lines by using '#' at the beginning of the line.
Empty lines are ignored

(B) Examples:

src 1.1.1.1

src * dport 80 proto 6

src 1.1.1.0/24 dst 2.2.0.0/16 dport 53 proto 17

Logging

To generate logs for dropped packets, add the following line to file $PPKDIR/boot/modules/simkern.conf:

sim_track_dropdb=1

Note: the extensive logging could result in higher CPU utilization on the Security Gateway.

Limitations

The drop rules configuration does not survive the reboot. In order to apply the configured drop rules after the reboot, use a startup script (e.g., /etc/rc.d/rc.local) to run "sim dropcfg -f </path_to/file_name>" command automatically during each boot.
When using this feature, you cannot define exception list for the Template Quota feature. If exception list would be configured, it will disable the drop rules enforcement. See sk33239 for more details on the Template Quota feature.

(5) Related solutions

Applies To:

00840605 , 00851730

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating