(1) Introduction

Accelerated Drop Rules feature protects the Security Gateway and site from Denial of Service attacks by dropping packets at the acceleration layer (Performance Pack).

The drop rules are being configured in a file on the Security Gateway, which is then offloaded to the SecureXL device for enforcement. There is no relation between the rules being configured in the file and the rules configured in SmartDashboard.

The drop rules match is being done after connection and template lookup, so existing connections or new connections that match a template, will continue to pass through the Security Gateway regardless of the drop rules being configured.

In order to use the feature, run the following command (available only in Gaia / SecurePlatform / Crossbeam OS):

[Expert@HostName]# sim dropcfg <options>

(2) CLI syntax

(A) Notes about file syntax:

• The configuration file should contain one or more drop rules. One rule per line.
  
  

• Each rule line must contain one or more of the following parameters:

  • src <source_ip_address>/<subnet_mask> - Source IP address/Subnet Mask (Subnet Mask is optional - if not specified, then a single IP address is assumed).
    
    
  • dst <destination_ip_address>/<subnet_mask> - Destination IP address/Subnet Mask (Subnet Mask is optional - if not specified, then a single IP address is assumed).
    
    
  • dport <destination_port> - Destination port.
    
    
  • proto <ip_protocol_number> - IP Protocol (refer to /etc/protocols file or IANA Protocol Numbers ; e.g., TCP=6, UDP=17, ICMP=1).
  
  
  
• Use '*' to specify 'any'. It is the same as not specifying the parameter.
  
  
• You can add comment lines by using '#' at the beginning of the line.
  
  
• Empty lines are ignored

(B) Examples:

src 1.1.1.1

src * dport 80 proto 6

src 1.1.1.0/24 dst 2.2.0.0/16 dport 53 proto 17

(3) Logging

To generate logs for dropped packets, add the following line to file $PPKDIR/boot/modules/simkern.conf:

sim_track_dropdb=1

Note: the extensive logging could result in higher CPU utilization on the Security Gateway.

(4) Limitations

• The drop rules configuration does not survive the reboot. In order to apply the configured drop rules after the reboot, use a startup script (e.g., /etc/rc.d/rc.local) to run "sim dropcfg -f </path_to/file_name>" command automatically during each boot.
  
  
• When using this feature, you cannot define exception list for the Template Quota feature. If exception list would be configured, it will disable the drop rules enforcement. See sk33239 for more details on the Template Quota feature.

(5) Related solutions

• sk109960 - "sim dropcfg -l" command incorrectly shows "Enforced on external interfaces only"
• sk32578 - SecureXL Mechanism
• sk66402 - SecureXL Drop Templates are not supported in versions lower than R76
• sk71200 - SecureXL NAT Templates
• sk90861 - Optimized Drops feature in R76
• sk98722 - ATRG: SecureXL
• sk98348 - Best Practices - Security Gateway Performance
• sk33781 - Performance analysis for Security Gateway NGX R65 / R7x