Support Center > Search Results > SecureKnowledge Details
'fw sam' command fails to process the SAM rule with "sam: Name_of_GW_Object ... failed 'Syntax of SAM rule' processing" error Technical Level
Symptoms
  • 'fw sam' command fails to process the SAM rule with "sam: Name_of_GW_Object (FW_Index/FW_Total) ... failed 'Syntax of SAM rule' processing" error.

    Example:
    [Expert@MGMT]# fw sam -v -s 192.168.10.20 -f Main_Cluster -t 7200 -J src 1.1.1.1
    sam: request for 'Inhibit Drop Close src ip 1.1.1.1 on Main_Cluster' acknowledged
    sam: Member_A (0/2) failed 'Inhibit Drop Close src ip 1.1.1.1 on Main_Cluster' processing
    sam: Member_B (1/2) failed 'Inhibit Drop Close src ip 1.1.1.1 on Main_Cluster' processing
    sam: request for 'Inhibit Drop Close src ip 1.1.1.1 on Main_Cluster' done
    
  • Policy installation, or restarting the Check Point services (cpstop;cpstart) do not help.

  • Debug of FWD daemon on Security Gateway per sk86321 shows:
    [FWD PID TID]@HostName[Date Time] get_sam_file_size: getting file size 
    [FWD PID TID]@HostName[Date Time] get_sam_file_size: file size is 5000016 bytes 
    [FWD PID TID]@HostName[Date Time] fw_sam_inhibit_conns: session=0x... file size exceeded. Will not add the request 
    [FWD PID TID]@HostName[Date Time] fw_sam_generate_log: session 0x...: Sending log Failed to add the following dynamic (SAM) rule: ...
    
Cause

The size of the SAM records file on the Security Gateway / Cluster member(s) - $FWDIR/log/sam.dat - has exceeded a hard-coded limit of 5 MB.

The SAM records file contains all requests sent to the Security Gateway including obsolete requests. Purging these obsolete requests from the file decreases its size.

Background:

  • The FWD module stores the Suspicious Activity Monitoring (SAM) rules received from the FWM module in the $FWDIR/log/sam.dat file in a binary format.
  • SAM rules are pushed to the Check Point kernel when they are received, as well as after policy installation and as part of FWD module initialization (to ensure that they remain active after system restarts).
  • Security Gateway acts as a SAM Server.
  • Management Server acts as a SAM Client.

Solution
Note: To view this solution you need to Sign In .