To change the internal default behavior of Firewall or to configure special advanced settings for Firewall, you can use Firewall kernel parameters.
The names of applicable Firewall kernel parameters and their values appear in various SK articles in Support Center, and provided by Check Point Support.
Important
fw ctl set
command.This change does not survive a reboot.
$FWDIR/modules/fwkern.conf
or $FWDIR/modules/vpnkern.conf
).This requires a maintenance window, because the new values of the kernel parameters take effect only after a reboot.
Examples of Firewall kernel parameters
Type |
Name |
---|---|
Integer |
|
String |
|
To see the list of the available Firewall integer kernel parameters and their values on your Security Gateway:
Step |
Description |
---|---|
1 |
Connect to the command line on your Security Gateway. |
2 |
Log in to the Expert mode. |
3 |
Get the list of the available integer kernel parameters and their values:
|
4 |
Analyze the output file:
|
To see the list of the available Firewall string kernel parameters and their values on your Security Gateway:
Step |
Description |
---|---|
1 |
Connect to the command line on your Security Gateway. |
2 |
Log in to the Expert mode. |
3 |
Get the list of the available integer kernel parameters and their values:
|
4 |
Analyze the output file:
|
To check the current value of a Firewall integer kernel parameter:
Step |
Description |
---|---|
1 |
Connect to the command line on your Security Gateway. |
2 |
Log in to Gaia Clish or the Expert mode. |
3 |
Check the current value of an integer kernel parameter:
Example: [Expert@MyGW:0]# fw ctl get int send_buf_limit send_buf_limit = 80 [Expert@MyGW:0]# |
To check the current value of a Firewall string kernel parameter:
Step |
Description |
---|---|
1 |
Connect to the command line on your Security Gateway. |
2 |
Log in to Gaia Clish or the Expert mode. |
3 |
Check the current value of a string kernel parameter:
Example: [Expert@MyGW:0]# fw ctl get str fileapp_default_encoding_charset fileapp_default_encoding_charset = 'UTF-8' [Expert@MyGW:0]# |
To set a value for a Firewall integer kernel parameter temporarily:
Important - This change does not survive reboot.
Step |
Description |
---|---|
1 |
Connect to the command line on your Security Gateway. |
2 |
Log in to Gaia Clish or the Expert mode. |
3 |
Set the new value for an integer kernel parameter:
Example: [Expert@MyGW:0]# fw ctl set int send_buf_limit 100 Set operation succeeded [Expert@MyGW:0]# |
4 |
Make sure the new value is set:
Example: [Expert@MyGW:0]# fw ctl get int send_buf_limit send_buf_limit = 100 [Expert@MyGW:0]# |
To set a value for a Firewall string kernel parameter temporarily:
Important - This change does not survive reboot.
Step |
Description |
---|---|
1 |
Connect to the command line on your Security Gateway. |
2 |
Log in to Gaia Clish or the Expert mode. |
3 |
Set the new value for a string kernel parameter: Note - You must write the value in single quotes, or double-quotes.
or
Example: [Expert@MyGW:0]# fw ctl set str debug_filter_saddr_ip '1.1.1.1' Set operation succeeded [Expert@MyGW:0]# |
4 |
Make sure the new value is set:
Example: [Expert@MyGW:0]# fw ctl get str debug_filter_saddr_ip debug_filter_saddr_ip = '1.1.1.1' [Expert@MyGW:0]# |
To clear the current value from a Firewall string kernel parameter temporarily:
Important - This change does not survive reboot.
Step |
Description |
---|---|
1 |
Connect to the command line on your Security Gateway. |
2 |
Log in to Gaia Clish or the Expert mode. |
3 |
Clear the current value from a string kernel parameter: Note - You must set an empty value in single quotes, or double-quotes.
or
Example: [Expert@MyGW:0]# fw ctl set str debug_filter_saddr_ip '' Set operation succeeded [Expert@MyGW:0]# |
4 |
Make sure the value is cleared (the new value is empty):
Example: [Expert@MyGW:0]# fw ctl get str debug_filter_saddr_ip debug_filter_saddr_ip = '' [Expert@MyGW:0]# |
To set a value for a Firewall kernel parameter permanently:
To make a kernel parameter configuration permanent (to survive reboot), you must edit one of the applicable configuration files:
$FWDIR/modules/fwkern.conf
$FWDIR/modules/vpnkern.conf
The exact instructions are provided in various SK articles in Support Center, and provided by Check Point Support.
Step |
Description |
---|---|
1 |
Connect to the command line on your Security Gateway. |
2 |
Log in to the Expert mode. |
3 |
See if the configuration file already exists:
or
|
4 |
If this file already exists, skip to Step 5. If this file does not exist, then create it manually and then skip to Step 6:
or
|
5 |
Back up the current configuration file:
or
|
6 |
Edit the current configuration file:
or
|
7 |
Add the required Firewall kernel parameter with the assigned value in the exact format specified below. Important - These configuration files do not support space characters, tabulation characters, and comments (lines that contain the # character).
|
8 |
Save the changes in the file and exit from the Vi editor. |
9 |
Reboot the Security Gateway. Important - In cluster, this can cause a failover. |
10 |
Connect to the command line on your Security Gateway. |
11 |
Log in to Gaia Clish or the Expert mode. |
12 |
Make sure the new value of the kernel parameter is set:
|
For more information, see sk26202: Changing the kernel global parameters for Check Point Security Gateway.