Open Frames Download Complete PDF Send Feedback Print This Page

Previous

LTE

In This Section:

Configuring Fragmentation for IPSec Traffic

Configuring Subnet Range Selection for Quick Mode IDs

Configuring Alternate CRL Distribution Points

Configuring Fail Open When CRL is Unavailable

Configuring Persistent VPN Kernel Parameters

Disabling IKEv2 Traffic Selector Narrowing

Configuring the GTP Signaling Rate Limit

Configuring GTPv2 Support

Configuring SCTP Inspection

Configuring GSN Handover Group Limits

Deactivating Session Hijacking Protection

Using Diameter Services in Rules

Sending Check Point Logs to a Syslog Server

Configuring CGNAT

Configuring Stateful NAT64

Large Scale VPN

Configuring New GTPv2 Message Types and Information Elements

LTE is supported on Gaia Security Gateways of R77.30 and higher, and requires the R77.30 Add-On (see sk105412) on the Security Management Server or Multi-Domain Server.

Configuring Fragmentation for IPSec Traffic

To make sure the size of the transmitted packets is less than the MTU size, configure fragmentation for IPSec traffic.

To configure fragmentation for IPSec traffic:

  1. On the management server (Security Management Server or Multi-Domain Server) command line, run dbedit in Expert mode.
  2. At the dbedit prompt, run:

    modify network_objects gateway_object VPN:ipsec_fragment_inner true

  3. Enter -q to close dbedit.
  4. Reboot the server.
  5. Install policy.

To configure fragmentation for IPSec traffic when using Performance Pack:

  1. On each Security Gateway, open the file $PPKDIR/boot/modules/simkern.conf in a text editor.

    NOTE: If the file does not exist, create it.

  2. Add this line: vpn_f2f_for_fragmentation=1
  3. Save and close the file.
  4. Reboot the gateway.

Configuring Subnet Range Selection for Quick Mode IDs

In Quick Mode, you can apply the subnet range selection specified through max_subnet_for_range to the ID of the local gateway, to a peer's ID, to both, or to none.

To configure the subnet range selection for Quick Mode IDs:

On each Security Gateway, run this command:

fw ctl set int <subnet_for_range_control> [0|1|2|3] VPN

These are the options for the subnet_for_range_control value:

0

max_subnet_for_range table is ignored on both sides.

1

max_subnet_for_range table is ignored when own source IDs are selected.

2

max_subnet_for_range table is ignored when peer’s destination IDs are selected.

3

The default: max_subnet_for_range table is never ignored.

Configuring Alternate CRL Distribution Points

For a CA domain, with certificate revocation information distributed to CRL Distribution Points, configure each CA to access these Distribution Points.

To configure alternate CRL Distribution Points for a CA server:

  1. On the management server (Security Management Server or Multi-Domain Server) command line, run dbedit in Expert mode.
  2. At the dbedit prompt, run this command for each CA:

    addelement servers <ca_server_name> forced_crl_dp <Distribution_Point_URL>

    Example: addelement servers MyCA forced_crl_dp http://mydomain.com/crlfile1.CRL

  3. Enter -q to close dbedit.
  4. Reboot the server.
  5. Install policy.

NOTE: You can assign several CRL DPs for each CA server.

Configuring Fail Open When CRL is Unavailable

By default, if a CRL is unavailable, the VPN connections that rely on it for the certificate verification shut down. To maintain network availability during a CRL failure, you can configure the Fail-Open mode on the gateways.

To configure Fail-Open:

  1. On the management server (Security Management Server or Multi-Domain Server) command line, run dbedit in Expert mode.
  2. At the dbedit prompt, run:

    modify network_objects gateway_object VPN:ike_fetch_crl_fail_open true

  3. Enter -q to close dbedit.
  4. Reboot the server.
  5. Install policy.

    Note - In Fail-Open mode, if the CRL is not available or is not readable, the certificate is not examined for possible revocation.

Configuring Persistent VPN Kernel Parameters

If you change VPN kernel parameters (usually with fw ctl set), they return to their default values after reboot. If you configure persistent VPN kernel parameters, those changes stay.

To configure persistent VPN kernel parameters:

  1. On the Security Gateway, create this file:
    $FWDIR/modules/vpnkern.conf
  2. Add the required parameter(s) to vpnkern.conf.
  3. Example: subnet_for_range_control=2
  4. Save the file.
  5. Reboot the gateway.

Disabling IKEv2 Traffic Selector Narrowing

During IKEv2 SA negotiation, the responder can narrow the traffic selector proposed by the initiator. You can disable this feature.

To disable IKEv2 Traffic Selector Narrowing with dbedit:

  1. On the management server (Security Management Server or Multi-Domain Server) command line, run dbedit in Expert mode.
  2. At the dbedit prompt, run:

    modify network_objects gateway_object VPN:ikev2_accept_all_ts true

  3. Enter -q to close dbedit.
  4. Reboot the server.
  5. Install policy.

Configuring the GTP Signaling Rate Limit

The Security Gateway calculates the maximum signal rate. It multiplies the value of GTP Signaling rate limit sampling interval and the value of GTP signal packet rate limit. To configure the GTP signaling rate, configure these properties.

To configure GTP signaling rate limit:

  1. Create one or more groups of source network objects.
    1. In SmartDashboard, right-click Network Objects and select Groups > GSN Handover Group.
    2. In the GSN Handover Group Properties window enter:
      • Name - Unique character string identifier
      • Comment (optional) - Descriptive text
      • Color (optional) - Select a color for the group icon
    3. Select Enforce GTP signal packet rate limit from this group and enter an integer value (in PDU/sec).
    4. From the Not in Group list, double-click the network objects to be included in the group.
    5. Click OK.
  2. Configure the sampling interval.
    1. In SmartDashboard, click Edit Global Properties.

      The Global Properties window opens.

    2. In the navigation tree, click Firewall-1 GX.
    3. Enter an integer for GTP Signaling rate limit sampling interval (in seconds).

      Default = 1 second.

    4. Click OK.
  3. Install policy.

Configuring GTPv2 Support

You can create Firewall rules with GTPv2 protocol services for S5/S8 LTE interfaces. You can use these new GTPv2 services in the Service column of rules.

Note - There is no service template for the Path Management GTPv2 service. You must manually create the template.

To create a GTPv2 service (Not including Path Management):

  1. In SmartDashboard, go to the Firewall tab and select the Services tree.
  2. Right-click GTP and select New GTP.
  3. Select a service template from the options menu:
    • GTP V2 – for Tunnel Management service
    • GTP Mobility Management V2 – for Mobility Management service
    • GTP V2 Additional – Custom defined service
  4. In the Services Properties window, enter a name for the new service.
  5. If you selected the GTP V2 Additional service, select one or more service types:
    • GTPv2 Trace Management
    • CS Fallback and SRVCC
    • Restoration and Recovery services

      Note - GTP-U messages cannot match GTPv2 services in Firewall rules. You must also include the GTPv1 service in the rule to match GTP-U messages.

To create the Path Management GTPv2 service:

  1. On the Firewall tab, right click Services.
  2. Right-click Other > New Other.
  3. In the Other Services Properties window, enter this string as the service name:

    gtpv2_path_mgmt

  4. Enter 17 in the IP Protocol field.
  5. Click Advanced.
  6. In the Advanced Other Service Properties window, enter this string in the Match field:

    gtp_path_match_v2

  7. Select the Accept Replies option.

Configuring SCTP Inspection

When a Carrier license is installed, you can specify SCTP services in your Firewall rules. SCTP Inspection occurs in these cases:

  • There is a match on a rule containing an SCTP or Diameter SCTP service in the Service cell.
  • There is a match on a rule with Service = Any and this SCTP service has Match for any selected.

To activate SCTP Inspection:

  1. Open SmartDashboard > Manage.
  2. Click Services > New > SCTP.

    The SCTP Service Properties window opens.

    • Name - The name of the service. The name assigned here must be the same as the server service name (as in the services file). If NIS is used, the firewall automatically retrieves the information from NIS.
    • Port - The number of the port that gives this service.
    • Keep connections open after policy has been installed - If the connections are not allowed in the new policy, they are still kept. This overrides the settings in the Connection Persistence page. If you change this property, the change does not have effect on open connections, but only future connections.
  3. Click Advanced.

    The Advanced SCTP Service Properties window opens.

    • Source Port - Port number for the client side service. If specified, only those Source port Numbers will be Accepted, Dropped, or Rejected during packet inspection. Otherwise, the source port is not inspected.
    • Enable Aggressive Aging - Sets short (aggressive) timeouts for idle connections. When a connection is idle for more than its aggressive timeout value, it is marked as eligible for deletion. When memory consumption or connections table capacity exceeds a user-defined threshold (high watermark), aggressive aging starts. Each incoming connection starts to delete k (10 by default) connections that are eligible for deletion. This continues until memory consumption or connections capacity decreases below the low value.
    • Synchronize connections on cluster - Enables state-synchronized High Availability or Load Sharing on a ClusterXL or OPSEC-certified cluster. Of the services allowed by the Rule Base, only those with Synchronize connections on cluster selected are synchronized as they go through the cluster. By default, all new and existing services are synchronized.
  4. Click OK.
  5. Open Global properties > Stateful Inspection.

    Configure these Stateful Inspection options:

Option

Meaning

SCTP start timeout
  • An SCTP connection times out if the interval between the arrival of the first packet and establishment of the connection (STCP four-way handshake) exceeds the SCTP start timeout in seconds.
  • Attribute name in GuiDBedit: sctpstarttimeout

SCTP session timeout
  • Length of time an idle connection remains in the Security Gateway connections table.
  • Attribute name in GuiDBedit: sctptimeout

SCTP end timeout
  • A SCTP connection will only terminate SCTP end timeout seconds after two FIN packets (one in each direction: client-to-server, and server-to-client) or an RST packet.
  • Attribute name in GuiDBedit: sctpendtimeout

    Configure these options for Out of state packets:

Option

Meaning

Drop out of state SCTP packets
  • Drop SCTP packets that are not consistent with the current state of the SCTP connection.
  • Attribute name in GuiDBedit: fw_drop_out_of_state_sctp

Log on drop
  • Generates a log entry when out of state SCTP packets are dropped.
  • Attribute name in GuiDBedit: fw_log_out_of_state_sctp

To deactivate out of state packet drop with SmartDashboard:

  1. In SmartDashboard, go to Global properties > Stateful Inspection.
  2. Clear the Drop out of state SCTP packets option.
  3. Save and install the policy.

To deactivate packet inspection with GuiDBedit:

  1. Open GuiDBedit.
  2. Search for: fw_sctp_packet_inspection.
  3. Set the property to false.
  4. Save the database and install policy.

Configuring SCTP Acceleration

To enable SCTP acceleration:

sim feature sctp on

To disable SCTP acceleration, run: sim feature sctp off

Note: If SCTP acceleration is activated and SCTP inspection is deactivated, the Performance Pack accelerates all SCTP packet types.

Configuring SCTP NAT

SCTP NAT overrides the defined NAT policy. When this feature is not activated, SCTP connections do not use NAT.

To activate SCTP NAT:

On the Security Gateway, run: fw ctl set int fwx_enable_sctp_nat 1

To deactivate SCTP NAT: fw ctl set int fwx_enable_sctp_nat 0

Configuring GSN Handover Group Limits

You can specify tunnel limits, for GTP handover groups. A newly created tunnel counts against the limit for handover groups on both sides of the tunnel.

To configure GSN handover group limits:

  1. Run GuiDBedit and connect to the management server.
  2. Search for gtp_groups_limit_enabled and set the value to true.

    Search for gtp_group_percentage_limit and set the value to an integer that defines the percentage (0 - 100) of the tunnel capacity assigned to all handover groups.

    The default value is 0 (unlimited).

    This percentage applies to all groups for which no limit is defined explicitly.

  3. Search for gtp_tunnels_limit.

    This parameter is the maximum number of GTP tunnels that a handover group can create. Set this limit to make sure that one group does not take too much of the GTP tunnel allowance.

  4. Search for gtp_tunnel_group_limit in each handover group.

    This value is an integer that defines the maximum number of tunnels that can be open for the specified group. The default value is 0 (not defined).

    The explicitly defined gtp_tunnel_group_limit has precedence over the gtp_groups_percentage_limit definition.

Monitoring GSN Handover Group Limits

This command shows tunnel use for handover groups. Run it in Expert mode on the Security Gateway.

Syntax

fw gtp ho_groups {-g <name> | -l} [-m <lines>] [-s { name | tunnels | limit | util } [-r]] 






Parameter



Description







-g <name>



Show only the specified handover group







-l



Show only the handover group names (no data)







-m <lines>



Show, at most, the specified number of lines







-s



Sort the output by tunnel name, assigned limit or tunnel utilization







-r



Sort the output in in reverse alphabetical order








Example


# fw gtp ho_groups


Name                            Open tunnels      Limit %Utilization


------------------------------- ------------ ---------- ------------


Operator-6-GSNs                        25000     100000           25


Operator-9-GSNs                        33148      50000           66


Operator-3-GSNs                          380   no limit          n/a


Operator-8-GSNs                        15897     200000            7


Operator-5-GSNs                        84125     180000           46


Operator-4-GSNs                            0      50000            0


Operator-1-GSNs                        45000      45000          100


Operator-7-GSNs                        69716      70000           99


Operator-2-GSNs                       394326     500000           78




Deactivating Session Hijacking Protection


The Session Hijacking protection is turned on by default. You can deactivate it with one command.


To deactivate the Session Hijacking protection, run this command on the Security Gateway in Expert mode:


# fw ctl set int gtp_allow_ho_bypass 1


To re-activate Session Hijacking protection, run:


# fw ctl set int gtp_allow_ho_bypass 0


Using Diameter Services in Rules


Diameter inspection rules examine traffic for Diameter application compatibility and compliance with the applicable protocols. If the inspection detects an error or incompatibility, the traffic is always dropped. 


You can create Firewall rules that inspect Diameter traffic based on matching Diameter services. Each Diameter service is related to a Diameter application, which must support the Diameter base protocol. This release includes some predefined Diameter applications. You can create your own custom Diameter applications as necessary. 


You must define Diameter services for use in rules. You can define services for Diameter over SCTP or Diameter over TCP.


Notes and Limitations:


  • All Diameter inspection rules must use the Accept action. Do not use the Drop or Reject actions, because this can cause valid Diameter traffic to be dropped. 
  • You can include Diameter SCTP and Diameter TCP services in the same rule, or create different rules for each.
  • When a rule has same source and destination objects, you must include all applicable Diameter services in one rule. You cannot use more than one rule with the same source and destination for different Diameter services. This can cause valid Diameter traffic to be dropped. 


Creating Diameter SCTP Services


To Create a Diameter SCTP Service:


  1. Open SmartDashboard.
  2. On the Firewall tab, open Services objects tree.
  3. Right-click Services.
  4. Select Diameter > New Diameter SCTP.
    The Diameter SCTP Service Properties window opens.
    

    • Name - The name of the service. The name assigned here must be the same as the server service name (as in the services file). If NIS is used, the firewall automatically retrieves the information from NIS.
    • Comment - Optionally enter a comment.
    • Color - Select a color.
    • Application - Select a Diameter application. If the required application is not in the list, you can create a new one.
    • Keep connections open after policy has been installed - Overrides the settings defined on the Connection Persistence page. If you change this parameter, the change does not apply to existing open connections. 
  5. Click Advanced.
    The Advanced SCTP Service Properties window opens. 
    

  6. Configure these parameters.
    • Source Port - Port number for the client side service. If specified, only those Source port Numbers will be Accepted, Dropped, or Rejected during packet inspection. Otherwise, the source port is not inspected.
    • Enable Aggressive Aging - Sets short (aggressive) timeouts for idle connections. When a connection is idle for more than its aggressive timeout value, it is marked as eligible for deletion. When memory consumption or connections table capacity exceeds a user-defined threshold (high watermark), aggressive aging starts. Each incoming connection starts to delete k (10 by default) connections that are eligible for deletion. This continues until memory consumption or connections capacity decreases below the low value. 
    • Synchronize connections on cluster - Enables state-synchronized High Availability or Load Sharing on a ClusterXL or OPSEC-certified cluster. Of the services allowed by the Rule Base, only those with Synchronize connections on cluster selected are synchronized as they go through the cluster. By default, all new and existing services are synchronized.
  7. Click OK two times to close the windows.
See the Rule limitations. Use SmartView Tracker to see connections that use SCTP services.


Creating Diameter TCP Services


To Create a Diameter TCP Service:


  1. Open SmartDashboard.
  2. On the Firewall tab, open Services objects tree.
  3. Right-click Services.
  4. Select Diameter > Diameter TCP.
    The Diameter TCP Service Properties window opens.
    

    • Name - The name of the service. The name assigned here must be the same as the server service name (as in the services file). If NIS is used, the firewall automatically retrieves the information from NIS.
    • Comment - Optionally enter a comment.
    • Color - Select a color.
    • Application - Select a Diameter application. If the required application is not in the list, you can create one.
    • Keep connections open after policy has been installed - Overrides the settings defined on the Connection Persistence page. If you change this parameter, the change does not apply to existing open connections. 
  5. Click Advanced.
    The Advanced TCP Service Properties window opens. Configure these parameters.
    

    • Source Port - Port number for the client side service. If specified, only those Source port Numbers will be Accepted, Dropped, or Rejected during packet inspection. Otherwise, the source port is not inspected.
    • Enable for TCP Resource - Enables the TCP service for a TCP Resource.
    • Match for Any. - If selected, this service is used when 'Any' is set for the rule's service and there are several service objects with the same source port and protocol.
    • Session Timeout - Time (in seconds) before the session times out.
      • Default - Use the default value defined on the Stateful Inspection page in Global Properties.
      • Other - Manually define a timeout period for this service. 
    • Enable Aggressive Aging - Sets short (aggressive) timeouts for idle connections. When a connection is idle for more than its aggressive timeout value, it is marked as eligible for deletion. When memory consumption or connections table capacity exceeds a user-defined threshold (high watermark), aggressive aging starts. Each incoming connection starts to delete k (10 by default) connections that are eligible for deletion. This continues until memory consumption or connections capacity decreases below the low value. 
    • Synchronize connections on cluster - Enables state synchronization on a ClusterXL or OPSEC-certified cluster.
    • Perform static NAT good port selection on Cluster - All traffic inspection for a connection is done by the same cluster member. This option makes for better connection stickiness.
  6. Click OK two times to close the windows.
See the Rule limitations. 


Creating Diameter Applications


You can create custom Diameter applications to use in Diameter services. Custom Diameter applications are typically related to an RFC. Each application includes one or more Diameter commands.









Note - This advanced feature is complex and requires detailed knowledge of the Diameter protocols. We recommend that you coordinate use of this feature with Check Point support. 








To create a Diameter application:


  1. Open GuiDBedit.
  2. On the Tables tab open Other and select diameter_service_cfg.
  3. Click in the Object pane.
  4. Click Object > New. 
    The Create Object window opens.
    

    • Class - select diameter_app.
    • Object - enter the name of the new application. 
    • Click OK.
    The new object is added to list of objects and its fields show in the bottom pane of GuiDBedit.
    

  5. In Field Name column (in the lower pane in the window): 
    1. Double-click app_cmds.
      The Add/Edit Element window opens.
      

    2. Select an application command from the Object list.
      If the command does not exist, create it.
      Repeat steps a. and b. as necessary to add more application commands.
      

    3. Double-click app_id.
      The Edit window opens.
      

    4. Enter a value for the application id. 
      The app_id must be the same id as in the RFC for this application.
      

    5. Double-click include_diameter_base_app.
      Make sure the value is true, unless you want to block some application commands.
      

    6. Double-click is_diameter_base_app.
      Make sure the value is false.
      

  6. Save and close GuiDBedit.
In SmartDashboard, the new application shows in the Diameter TCP/SCTP Service Properties window. You must restart SmartDashboard before you can use the new service in a policy rule.


Creating Diameter Application Commands


A Diameter application includes one or more commands. There are default commands, and you can create new request or answer commands. 









Note - This advanced feature is complex and requires detailed knowledge of the Diameter protocols. We recommend that you coordinate use of this feature with Check Point support. 








To create a Diameter application command:


  1. In GuiDBedit, click in the Object Name column.
  2. Click Objects > New.
    The Create Object window opens.
    

  3. From Class select diameter_cmd. 
    Note - diameter_avp is not a valid option creating Diameter Application commands. The diameter_avp option is used only for creating diameter_avp objects and is not enforced by the policy.
    

  4. In the Object field, enter a name for the new command. 
    • Use the application command names as defined by the applicable RFC.
    • Select the request or answer command as necessary. For example, new_cmd_request or new_cmd_answer.
  5. Click OK.
    The new command shows in the Objects table. 
    

  6. Select the new command.
  7. In the Field table: 
    1. Double-click cmd_code.
      In the Edit window, enter the value specified by the related RFC.
      

      Click OK.
      

    2. Double-click display_code. 
      In the Edit window, enter the value specified by the related RFC (a three-letter code, for example NCR or NCA).
      

      Click OK.
      

    3. Double-click request. 
      In the Edit window, select true or false:
      

      • Application request commands must be true.
      • Application answer commands must be false.
  8. Click OK.
  9. On the toolbar, click the Save all changed objects button.
    

    

    
    		

    Important - You must save new commands before you can add them to a diameter application.
    
    		

    


    

    



Blocking Specified Application Commands


You can create a service for an application that excludes specified commands. This lets you use a Diameter rule to block traffic that uses the specified commands.









Note - This advanced feature is complex and requires detailed knowledge of the Diameter protocols. We recommend that you coordinate use of this feature with Check Point support. 








In a Diameter application, the include_diameter_base_app value is typically set to TRUE. To block commands allowed by the base protocol:


  1. Create a custom Diameter application with an ID that is not related to an RFC.
    • Add only the commands to be allowed.
    • Set the include_diameter_base_app property to FALSE.
  2. Create a new service that uses the new custom Diameter application, for SCTP or TCP inspection.
  3. Add the new Service to a Diameter rule.
  4. Install policy.
Notes and limitations:


  • Make sure the source and destination Diameter nodes use the custom application. If not, the rule will not exclude the blocked application commands because it will use the standard RFC based application.
  • All Diameter Services rules must have the include_diameter_base_app property set to the same value - FALSE. If not, the rule will not exclude the blocked application commands because it will use the standard RFC based application.


Sending Check Point Logs to a Syslog Server


By default, gateway logs are sent to the Security Management Server. You can configure gateways to send logs directly to syslog servers. First, define syslog servers. Then, update the logging properties of the gateways.


These syslog protocols are supported:


  • RFC 3164 (old)
  • RFC 5424 (new)
Limitations


  • IPv6 logs are not supported
  • Software Blade logs are not supported


Defining Syslog Servers


To define a Syslog server:


  1. In SmartDashboard, click the Firewall tab.
  2. In the Servers and OPSEC Applications object tree, right-click Servers > New > Syslog.
  3. In the Syslog Properties window, enter or select:
    • Name
    • Optional comment
    • Host
    • Port (Default = 514)
    • Version (BSD Protocol or Syslog Protocol) 




<81>Jul 25 17:26:49 172.23.22.63 Action="accept" src="91.90.139.74" 
dst="172.23.22.63" proto="17" product="VPN-1 & FireWall-1" service="1147" 
s_port="26666" product_family="Network"








Example of a Syslog Protocol log entry (truncated):






<81>1 2012-07-25T17:17:50Z 172.23.22.63 CP-GW - Log 
[Fields@1.3.6.1.4.1.2620 Action="accept" rule="1" src="91.90.139.74" 
dst="172.23.22.63" proto="17" product="VPN-1 & FireWall-1" service="1052"
s_port="54444" product_family="Network"] 










Configuring Gateways to Send Logs to Syslog Servers


You can configure a gateway to send logs to multiple syslog servers. The syslog servers must be the same type: BSD Protocol or Syslog Protocol.


To send the logs of a gateway to syslog servers:


  1. In SmartDashboard, go to gateway Properties > Logs.
  2. In the Send logs and alerts to these log server table, click the green button to add syslog servers.
    Note - You cannot configure a Syslog server as a backup server.
    

  3. Click OK.
  4. Install policy.


Enabling Syslog in Kernel


The fwsyslog_enable kernel parameter enables or disables the Syslog in Kernel feature:


0 = Disabled (default)


1 = Enabled


You can enable or disable Syslog in Kernel temporarily (until the system reboots) or permanently (until manually disabled). 


To temporarily enable Syslog in Kernel on a Security Gateway:


  1. Run:  # fw ctl set int fwsyslog_enable 1
  2. Install Policy.
To permanently enable Syslog in Kernel on a Security Gateway: 


  1. Run:
    echo fwsyslog_enable=1 >> $FWDIR/modules/fwkern.conf
    

  2. Reboot the Security Gateway or cluster members.
To disable Syslog in Kernel temporarily: 


Run:  # fw ctl set int fwsyslog_enable 0


To disable Syslog in Kernel permanently:


  1. Open $FWDIR/modules/fwkern.conf in a text editor and do one of these actions:
    • Set fwsyslog_enable=0
      or
      

    • Delete the fwsyslog_enable line.
  2. Reboot the Security Gateway.


Verification


To see the Syslog in Kernel status:


[Expert@host:0]# fw ctl get int fwsyslog_enable


You can see the count of logs sent to syslog from the kernel. Log counters start when you install the policy.


To see log count for an instance:


[Expert@host:0]# fw -i <instance_number> ctl get size fwsyslog_nlogs_counter


Sample output:


fwsyslog_nlogs_counter = 21


To see log count for all instances:


  1. Open two command line connections to the Security Gateway. 
  2. On the first CLI connection, run:  # fw ctl zdebug
  3. On the second CLI connection, run:  # fw ctl set size fwsyslog_print_counter 1
  4. On the first shell, see the counter for each instance and the sum of all instances.
Sample output: 


;[cpu_2];[fw4_0];Number of logs sent from instance 0 is 43;


;[cpu_2];[fw4_0];Number of logs sent from instance 1 is 39;


;[cpu_2];[fw4_0];Number of logs sent from instance 2 is 50;


;[cpu_2];[fw4_0];Total fwsyslog_nlogs_counter = 132;


Configuring CGNAT


To configure CGNAT objects:


  1. In SmartDashboard, create a subscriber Network Object.
    You can use one network object to handle traffic for one subscriber or for many subscribers. 
    

    1. In the Network Properties window - General tab, enter the IPv4 address and subnet mask in the applicable fields.
    2. Configure other properties as necessary.
  2. Create a subscriber Address Range Object. 
    Important - If you cannot define the hide range with one continuous address range, you must divide the subscriber networks into subnets and then create different CGNAT rules for each network segment.
    

To create a CGNAT Rule:


  1. In the NAT pane, create a new rule.
  2. Right-click the Translated Packet - Source cell and select Add (Hide CGNAT).
  3. In the Add Object window, select the subscriber Address Range Object.
  4. In the Original Packet - Source cell, select the subscriber Network Object. 
  5. Move the cursor over the Translated - Source cell to see the number of ports for each subscriber. 
    Important - If the calculated number of ports per subscriber is less than 10, a warning message shows. If this occurs, increase the number of addresses in the hide range. 
    

  6. Install Policy.


CGNAT Rule Notes


  • Use only IP address range objects for the translated source.
  • Do not change the destination and service cell default values.
  • Do not use overlapping IP addresses in rules. When rules include overlapping IP address ranges, only the first occurrence of the overlapping address is used.
    For example, if:
    

    Rule 1 uses ip-range: 10.10.10.1-50
    Rule 2 uses ip-range: 10.10.10.30-100
    

    Then:
    

    Rule 1 is applicable to the full range (10.10.10.1-50).
    

    Rule 2 is applicable only to the sub-range (10.10.10.51-100).
    



Tracking CGNAT Rule Activity


To use CGNAT to identify the original subscriber IP address:


  1. Run SmartLog.
  2. Use this query for the address/port combination.
    hide_ip:<public ip> and hide_port:<public port number>
    

    For example, hide_ip:10.1.1.10 and hide_port:38200.
    

  3. Click a record to see the original subscriber IP address. 


Configuring Stateful NAT64


Before you define NAT64 rules:


  1. For embedded NAT64, define an address range network object with an IPv4 range. 
    This range must be routable and not in use on the IPv4 side of the network. We recommend that you define a large range for more concurrent NAT64 connections. 
    

  2. Define IPv6 network objects for your IPv4 hosts:
    • You can define IPv4 embedded IPv6 addresses for servers, IP address ranges and network objects.
    • You can define static IPv6 addresses for servers and other 'simple' host objects.


Defining a NAT64 Rule


Define NAT64 rules as Manual NAT rules in the NAT policy view. Make sure that you add firewall security rules that allow NAT traffic. 


Use the standard procedure for NAT rules, with these differences:


  1. The Translated Packet Source cell must contain an IPv4 hide range.
  2. The Original Packet Destination cell must contain one of these:
    • A supported network object with an IPv4-embedded IPv6 address
    • A host object with one, static IPv6 address
  3. You must set the Translation Method to Stateful NAT64. Right-click the Translated Packet Source cell and select ADD > Stateful NAT64.
Notes:


When you set the NAT Method to Stateful NAT64:


  • The Translated Packet Destination cell shows Embedded IPv4.
  • A 64 icon shows in the Translated Packet Source and Destination cells.
  • You can change the contents of the Translated Destination cell if the Original Destination is also a host object. The cell contents can only contain host objects with IPv4 addresses. 
  • An icon with an S shows that the cell contains a 1:1 static address translation of the destination.
  • Make sure the gateway interface to the IPv4 network is configured correctly:
    • There is an IPv6 address assigned to this interface.
    • The network prefix length is equal to or less than 96.
    • The Security Gateway routing table sends traffic for the original IPv6 destination (as defined by the NAT rule) to the IPv4 interface.


Other Settings


To configure NAT64 translation RFC 6052 compliant settings, open:  Menu > Policy > Global Properties > NAT


We recommend that you change the default settings only if you are familiar with the technology.


Copy type of service to service class (Activated by default) - This setting copies the traffic class field to the type of service field, and sets the type of service field in the translated packet to zero. 


PMTU black hole avoidance (Deactivated by default) - Allows packet fragmentation on the IPv4 (destination) side during PMTU discovery. Activate this setting if some equipment combinations cause PMTU discovery to fail. 


Add UDP checksum (Deactivated by default) - Lets the translator calculate and add a valid UDP checksum value to a packet if the packet checksum value is zero. This is important because, by default, an IPv4 UDP packet with a checksum value of zero is dropped on the IPv6 side. 


Gateway Configuration


Make sure the number of IPv6 firewall instances is equal to the number of IPv4 firewall instances.


Logging


Source and destination IP addresses show in their original IPv6 format. To identify a NAT64 entry, look in the More section of the Record Details window. 


XlateSrc - Source hide IPv4 address


XlateDst - Destination embedded IPv4 address


Information - Identifies the entry as NAT64 traffic


Large Scale VPN


A VPN that connects branch offices, worldwide partners, remote clients, and other environments, can reach hundreds or thousands of peers. A VPN on this scale brings new challenges. For example, when a new peer is deployed in production, you must define the peer and configure the environment again. Every time a new peer is deployed, you must Install Policy on all the Security Gateways.


The Large Scale VPN (LSV) feature addresses these challenges to deploy more easily and quickly. LSV is supported in R77.30 and higher.


Configuring LSV


To configure Large Scale VPN:


  1. If necessary, create a Trusted CA object in SmartConsole for the CA server that signs LSV peer certificates.
  2. In SmartConsole, right-click Network Objects > Others and select LSV Profile. 
  3. In the Large Scale VPN Properties window > General page, enter a unique name for the LSV Profile.
  4. Select a Certificate Authority (CA) to sign peer certificates from the list. 
    A CA can sign for only one LSV profile.
    

  5. In the VPN tab, add VPN communities.
  6. Optional: In the Advanced tab, define limitations for LSV peers:
    • Limit peer's VPN Domain size - Set the maximum number of IP addresses in the VPN domain.
    • Allow any - All IP addresses can be included in the VPN domain.
    • Restrict to a group or network - Include only the selected groups or networks in the peer domain. 
  7. Click OK.
    The LSV Profile is under Network Objects > Interoperable Devices.
    

    Open SmartDashboard > IPsec VPN > Communities. Double-click the community to which you added the LSV profile, and make sure it is listed with the gateways.
    

  8. Install policy. 


Monitoring LSV Peers and Tunnels 


You can monitor LSV peers on a Security Gateway with the vpn lsv command. 


  1. From the Security Gateway command line, run:  vpn lsv 
  2. Select an option. 
**********     Select Option     **********




(1)             List all LSV peers


(2)             Show LSV peer's details


(3)             Remove an LSV peer


(4)             Remove all LSV peers




(Q)             Quit




*******************************************


You can also monitor LSV tunnels with SmartView Monitor.


Configuring New GTPv2 Message Types and Information Elements


This release lets you add user defined message types and information elements for GTPv2.


  • gtpv2_ignore_messages - for unknown message types 
  • gtpv2_ignore_elements - for unexpected information elements
The GTPv2 protocol supports user defined information elements (ies) and message types. You can configure Firewall-1 GX to identify these items as legitimate traffic.


To configure Firewall-1 GX to allow these message types and information elements, add these lines to $FWDIR/lib/gtp.def on the management server:


  • gtpv2_ignore_messages = {<new_message_types>};
  • gtpv2_ignore_elements = {<new_information_element_types>};
Example:


  • gtpv2_ignore_messages = {224,233,251};
  • gtpv2_ignore_elements = {99,101,103};
Message types 224,233,251 and information elements 99,101,103 are allowed by gateway. 



						

						
							
					 
				

			

				
	

	


	
	

		
			

				

					Top of Page
					©2015 Check Point Software Technologies Ltd. All rights reserved.
					
						Download PDF
						
						Send Feedback
						
						Print