Troubleshooting guide
Appendix A: State Tables for VPN-1/FireWall-1 4.0 License enforcement tables
Advanced Technical Reference Guide 4.1 • June 2000 148
The action option may have any combination the following values:
Action option Description
0x01 Inhibit (do not let additional packets get through)
0x02 Close (terminate existing connections)
0x04 Notify (send a message)
0x08 Cancel (cancel a previous restriction)
0x10 Uninhibit (uninhibit a previously blocked IP address)
0x20 Uninhibit all (uninhibit all previously blocked IP addresses)
0x40 Delete all (delete all previous restrictions)
0x80 Retrieve info (not used)
sam_blocked_servs table
The sam_blocked_servs table holds connections that are blocked by SAM.
Example
attributes: sync keep
<c0a80c01, c073cd0c, 00000015, 00000006; 00000002, 00000004>
The sam_blocked_servs table uses the following format:
<source IP address, destination IP address, destination port, IP protocol; logging option, action option>
Refer to the tables for the sam_blocked_ips table above to interpret the logging and action options.
License enforcement tables
host_ip_addrs table
The host_ip_addrs table contains the list IP addresses in the FireWall-1 machine (including loopback). The
addresses are in Hex format.
Example
c7cb4704
7f000001
c7cb4981
c7cb49c7
c7cb49e1
forbidden_tab table
Each embedded FireWall-1 has a feature that indicates how many hosts can be located "behind" it (the number
of hosts can be unlimited). This limitation is enforced in the Inspect code using the macro COUNT_HOST.
COUNT_HOST records each packet that comes from the internal interface in a table until the limit is exceeded.
When that happens an alert is generated. However, rather than issuing an alert on each packet that comes from
the same source, the "forbidden" sources are recorded. (Forbidden in the sense that there are X other sources
from the internal network that have already been recognized.) Each time an alert is to be generated, the