Firewall Kernel Parameters

To change the internal default behavior of Firewall or to configure special advanced settings for Firewall, you can use Firewall kernel parameters.

The names of applicable Firewall kernel parameters and their values appear in various SK articles in Check Point Support Center, and provided by Check Point Support.

Important:

The names of Firewall kernel parameters are case-sensitive.
You can configure most of the Firewall kernel parameters on-the-fly with the "g_fw ctl set" command.

This change does not survive a reboot.
You can configure some of the Firewall kernel parameters only permanently in the special configuration files - $FWDIR/boot/modules/fwkern.conf or $FWDIR/boot/modules/vpnkern.conf.

This requires a maintenance window, because the new values of the kernel parameters take effect only after a reboot.

Examples of Firewall kernel parameters

Type	Name
Integer	`fw_allow_simultaneous_ping` `fw_kdprintf_limit` `fw_log_bufsize` `send_buf_limit`
String	`simple_debug_filter_addr_1` `simple_debug_filter_daddr_1` `simple_debug_filter_vpn_1` `ws_debug_ip_str` `fw_lsp_pair1`

Type

Name

Integer

fw_allow_simultaneous_ping

fw_kdprintf_limit

fw_log_bufsize

send_buf_limit

String

simple_debug_filter_addr_1

simple_debug_filter_daddr_1

simple_debug_filter_vpn_1

ws_debug_ip_str

fw_lsp_pair1

Working with Integer Kernel Parameters

Viewing the list of the available Firewall integer kernel parameters and their values

Step

Instructions

Connect to the command line on the applicable Security Group A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected..

Get the list of the available integer kernel parameters and their values:

modinfo -p $FWDIR/boot/modules/fw_kern*.o | sort -u | grep _type | awk 'BEGIN {FS=":"} ; {print $1}' | xargs -n 1 fw ctl get int 1>> /var/log/fw_integer_kernel_parameters.txt 2>> /var/log/fw_integer_kernel_parameters.txt

Analyze the output file:

/var/log/fw_integer_kernel_parameters.txt

Viewing the current value of a Firewall integer kernel parameter

Step

Instructions

Connect to the command line on the applicable Security Group.

Check the current value of an integer kernel parameter:

g_fw ctl get int <Name of Integer Kernel Parameter> [-a]

Example:

[Expert@MyChassis-ch0x-0x:0]# g_fw ctl get int send_buf_limit
send_buf_limit = 80
[Expert@MyChassis-ch0x-0x:0]#

Configuring a value for a Firewall integer kernel parameter temporarily

Important - This change does not survive reboot.

Step

Instructions

Connect to the command line on the applicable Security Group.

Set the new value for an integer kernel parameter:

g_fw ctl set int <Name of Integer Kernel Parameter> <Integer Value>

Example:

[Expert@MyChassis-ch0x-0x:0]# g_fw ctl set int send_buf_limit 100
Set operation succeeded
[Expert@MyChassis-ch0x-0x:0]#

Make sure the new value is set:

g_fw ctl get int <Name of Integer Kernel Parameter>

Example:

[Expert@MyChassis-ch0x-0x:0]# g_fw ctl get int send_buf_limit
send_buf_limit = 100
[Expert@MyChassis-ch0x-0x:0]#

Configuring a value for a Firewall integer kernel parameter permanently

To make a kernel parameter configuration permanent (to survive reboot), you must edit one of the applicable configuration files:

For Firewall kernel parameters:

$FWDIR/boot/modules/fwkern.conf
For VPN kernel parameters:

$FWDIR/boot/modules/vpnkern.conf

The exact instructions are provided in various SK articles in Check Point Support Center, and provided by Check Point Support.

For more information, see sk26202: Changing the kernel global parameters for Check Point Security Gateway.

Step

Instructions

Connect to the command line on the applicable Security Group.

Add the required Firewall kernel parameter with the assigned value in the exact format specified below.

Important - These configuration files do not support space characters, tabulation characters, and comments (lines that contain the # character).

To add a Firewall integer kernel parameter:

g_update_conf_file $FWDIR/boot/modules/fwkern.conf <Name_of_Integer_Kernel_Parameter>=<Integer_Value>

To add a VPN integer kernel parameter:

g_update_conf_file $FWDIR/boot/modules/vpnkern.conf <Name_of_Integer_Kernel_Parameter>=<Integer_Value>

To add a Firewall string kernel parameter:

Note - You must write the value in single quotes, or double quotes.

g_update_conf_file $FWDIR/boot/modules/fwkern.conf <Name_of_String_Kernel_Parameter>='<String_Text>'

g_update_conf_file $FWDIR/boot/modules/fwkern.conf <Name_of_String_Kernel_Parameter>="<String_Text>"

Reboot the Security Group:

reboot -b all

Connect to the command line on the applicable Security Group.

Make sure the new value of the kernel parameter is set:

For an integer kernel parameter, run:

g_fw ctl get int <Name of Integer Kernel Parameter> [-a]

For a string kernel parameter, run:

g_fw ctl get str <Name of String Kernel Parameter> [-a]

Working with String Kernel Parameters

Viewing the list of the available Firewall string kernel parameters and their values

Step

Instructions

Connect to the command line on the applicable Security Group.

Get the list of the available integer kernel parameters and their values:

modinfo -p $FWDIR/boot/modules/fw_kern*.o | sort -u | grep 'string param' | awk 'BEGIN {FS=":"} ; {print $1}' | xargs -n 1 fw ctl get str 1>> /var/log/fw_string_kernel_parameters.txt 2>> /var/log/fw_string_kernel_parameters.txt

Analyze the output file:

/var/log/fw_string_kernel_parameters.txt

Viewing the current value of a Firewall string kernel parameter

Step

Instructions

Connect to the command line on the applicable Security Group.

Check the current value of a string kernel parameter:

g_fw ctl get str <Name of String Kernel Parameter> [-a]

Example:

[Expert@MyChassis-ch0x-0x:0]# g_fw ctl get str fileapp_default_encoding_charset
fileapp_default_encoding_charset = 'UTF-8'
[Expert@MyChassis-ch0x-0x:0]#

Configuring a value for a Firewall string kernel parameter temporarily

Important - This change does not survive reboot.

Step

Instructions

Connect to the command line on the applicable Security Group.

Set the new value for a string kernel parameter:

Note - You must write the value in single quotes, or double quotes.

g_fw ctl set str <Name of String Kernel Parameter> '<String Text>'

g_fw ctl set str <Name of String Kernel Parameter> "<String Text>"

Example:

[Expert@MyChassis-ch0x-0x:0]# g_fw ctl set str debug_filter_saddr_ip '1.1.1.1'
Set operation succeeded
[Expert@MyChassis-ch0x-0x:0]#

Make sure the new value is set:

g_fw ctl get str <Name of String Kernel Parameter>

Example:

[Expert@MyChassis-ch0x-0x:0]# g_fw ctl get str debug_filter_saddr_ip
debug_filter_saddr_ip = '1.1.1.1'
[Expert@MyChassis-ch0x-0x:0]#

Removing the current value from a Firewall string kernel parameter temporarily

Important - This change does not survive reboot.

Step

Instructions

Connect to the command line on the applicable Security Group.

Clear the current value from a string kernel parameter:

Note - You must set an empty value in single quotes, or double quotes.

g_fw ctl set str '<Name of String Kernel Parameter>'

g_fw ctl set str "<Name of String Kernel Parameter>"

Example:

[Expert@MyChassis-ch0x-0x:0]# g_fw ctl set str debug_filter_saddr_ip ''
Set operation succeeded
[Expert@MyChassis-ch0x-0x:0]#

Make sure the value is cleared (the new value is empty):

g_fw ctl get str <Name of String Kernel Parameter>

Example:

[Expert@MyChassis-ch0x-0x:0]# g_fw ctl get str debug_filter_saddr_ip
debug_filter_saddr_ip = ''
[Expert@MyChassis-ch0x-0x:0]#