Accelerated Drop Rules Feature in R75.40 and above
(1) Introduction
Accelerated Drop Rules feature protects the Security Gateway and site from Denial of Service attacks by dropping packets at the acceleration layer (Performance Pack).
The drop rules are being configured in a file on the Security Gateway, which is then offloaded to the SecureXL device for enforcement. There is no relation between the rules being configured in the file and the rules configured in SmartDashboard.
The drop rules match is being done after connection and template lookup, so existing connections or new connections that match a template, will continue to pass through the Security Gateway regardless of the drop rules being configured.
In order to use the feature, run the following command (available only in Gaia / SecurePlatform / Crossbeam OS):
[Expert@HostName]# sim dropcfg <options>
(2) CLI syntax
Command |
Description |
sim dropcfg |
Configures drop parameters (run 'sim dropcfg ') |
sim dropcfg -h |
Prints the help message with available options for 'dropcfg ' parameter |
sim dropcfg -l |
Prints current drop configuration |
sim dropcfg -f </path_to/file_name> |
Sets drop configuration file |
sim dropcfg -e |
Enforces drop configuration on the external interface only |
sim dropcfg -y |
Avoids confirmation |
sim dropcfg -r |
Resets drop rules |
(A) Notes about file syntax:
(B) Examples:
src 1.1.1.1
src * dport 80 proto 6
src 1.1.1.0/24 dst 2.2.0.0/16 dport 53 proto 17
(3) Logging
To generate logs for dropped packets, add the following line to file $PPKDIR/boot/modules/simkern.conf:
sim_track_dropdb=1
Note: the extensive logging could result in higher CPU utilization on the Security Gateway.
(4) Limitations
- The drop rules configuration does not survive the reboot. In order to apply the configured drop rules after the reboot, use a startup script (e.g.,
/etc/rc.d/rc.local
) to run "sim dropcfg -f </path_to/file_name>" command automatically during each boot.
- When using this feature, you cannot define exception list for the Template Quota feature. If exception list would be configured, it will disable the drop rules enforcement. See sk33239 for more details on the Template Quota feature.
(5) Related solutions
Applies To: