Troubleshooting guide
Appendix A: State Tables for VPN-1/FireWall-1 4.0 SAMP tables
Advanced Technical Reference Guide 4.1 • June 2000 147
<source IP address, magic number, destination IP address, destination port, IP protocol; encryption key, r_ctype
and r_cflags (see r_ctype connection table); time left/total time>
The magic number is an arbitrary number that identifies the VPN-1/FireWall-1 “entity” that recorded this entry,
and will need to use the entry later on. Usually the magic number is meaningful when looked upon as 4 ASCII
characters.
SAMP tables
sam_blocked_ips table
SAM is an acronym for “suspicious activity monitor” and is a FireWall-1 tool for dynamically blocking IP
addresses that are allowed by the Rule Base but which act suspiciously. All newly blocked IP addresses are
stored in the sam_blocked_ips table.
Example
attributes: expires 2147483647
<c7cb47bb; 00000002, 00000002, 00000001; 2147483386/2147483647>
The sam_blocked_ips table uses the following format:
<blocked IP address; IP flags, logging option, action option; time left/total time>
IP flags may have the following values:
IP flag value Description
0x0001 Block either source or destination
0x0002 Block source
0x0004 Block destination
0x0008 Block source, depending on service
0x0010 Block destination, depending on service
0x0020 Block either source or destination, depending on service
0x0040 Block connection
The logging option may have the following values:
Logging option Description
0nolog
1 short log, no alert
2 long log, no alert
3 short log, alert
4 long log, alert