Print Download PDF Send Feedback

Previous

Next

FireWall Kernel Parameters

To change the internal default behavior of Firewall or to configure special advanced settings for Firewall, you can use Firewall kernel parameters.

The names of applicable Firewall kernel parameters and their values appear in various SK articles in Support Center, and provided by Check Point Support.

Important

Examples of Firewall kernel parameters

Type

Name

Integer

fw_allow_simultaneous_ping

fw_kdprintf_limit

fw_log_bufsize

send_buf_limit

String

simple_debug_filter_addr_1

simple_debug_filter_daddr_1

simple_debug_filter_vpn_1

ws_debug_ip_str

fw_lsp_pair1

To see the list of the available Firewall integer kernel parameters and their values on your Security Gateway:

Step

Description

1

Connect to the command line on your Security Gateway.

2

Log in to the Expert mode.

3

Get the list of the available integer kernel parameters and their values:

[Expert@MyGW:0]# modinfo -p $FWDIR/modules/fw_kern*.o | sort -u | grep _type | awk 'BEGIN {FS=":"} ; {print $1}' | xargs -n 1 fw ctl get int 1>> /var/log/fw_integer_kernel_parameters.txt 2>> /var/log/fw_integer_kernel_parameters.txt

4

Analyze the output file:

/var/log/fw_integer_kernel_parameters.txt

To see the list of the available Firewall string kernel parameters and their values on your Security Gateway:

Step

Description

1

Connect to the command line on your Security Gateway.

2

Log in to the Expert mode.

3

Get the list of the available integer kernel parameters and their values:

[Expert@MyGW:0]# modinfo -p $FWDIR/modules/fw_kern*.o | sort -u | grep 'string param' | awk 'BEGIN {FS=":"} ; {print $1}' | xargs -n 1 fw ctl get str 1>> /var/log/fw_string_kernel_parameters.txt 2>> /var/log/fw_string_kernel_parameters.txt

4

Analyze the output file:

/var/log/fw_string_kernel_parameters.txt

To check the current value of a Firewall integer kernel parameter:

Step

Description

1

Connect to the command line on your Security Gateway.

2

Log in to Gaia Clish or the Expert mode.

3

Check the current value of an integer kernel parameter:

fw ctl get int <Name of Integer Kernel Parameter> [-a]

Example:

[Expert@MyGW:0]# fw ctl get int send_buf_limit

send_buf_limit = 80

[Expert@MyGW:0]#

To check the current value of a Firewall string kernel parameter:

Step

Description

1

Connect to the command line on your Security Gateway.

2

Log in to Gaia Clish or the Expert mode.

3

Check the current value of a string kernel parameter:

fw ctl get str <Name of String Kernel Parameter> [-a]

Example:

[Expert@MyGW:0]# fw ctl get str fileapp_default_encoding_charset

fileapp_default_encoding_charset = 'UTF-8'

[Expert@MyGW:0]#

To set a value for a Firewall integer kernel parameter temporarily:

Important - This change does not survive reboot.

Step

Description

1

Connect to the command line on your Security Gateway.

2

Log in to Gaia Clish or the Expert mode.

3

Set the new value for an integer kernel parameter:

fw ctl set int <Name of Integer Kernel Parameter> <Integer Value>

Example:

[Expert@MyGW:0]# fw ctl set int send_buf_limit 100

Set operation succeeded

[Expert@MyGW:0]#

4

Make sure the new value is set:

fw ctl get int <Name of Integer Kernel Parameter>

Example:

[Expert@MyGW:0]# fw ctl get int send_buf_limit

send_buf_limit = 100

[Expert@MyGW:0]#

To set a value for a Firewall string kernel parameter temporarily:

Important - This change does not survive reboot.

Step

Description

1

Connect to the command line on your Security Gateway.

2

Log in to Gaia Clish or the Expert mode.

3

Set the new value for a string kernel parameter:

Note - You must write the value in single quotes, or double-quotes.

[Expert@MyGW:0]# fw ctl set str <Name of String Kernel Parameter> '<String Text>'

or

[Expert@MyGW:0]# fw ctl set str <Name of String Kernel Parameter> "<String Text>"

Example:

[Expert@MyGW:0]# fw ctl set str debug_filter_saddr_ip '1.1.1.1'

Set operation succeeded

[Expert@MyGW:0]#

4

Make sure the new value is set:

fw ctl get str <Name of String Kernel Parameter>

Example:

[Expert@MyGW:0]# fw ctl get str debug_filter_saddr_ip

debug_filter_saddr_ip = '1.1.1.1'

[Expert@MyGW:0]#

To clear the current value from a Firewall string kernel parameter temporarily:

Important - This change does not survive reboot.

Step

Description

1

Connect to the command line on your Security Gateway.

2

Log in to Gaia Clish or the Expert mode.

3

Clear the current value from a string kernel parameter:

Note - You must set an empty value in single quotes, or double-quotes.

[Expert@MyGW:0]# fw ctl set str <Name of String Kernel Parameter> ''

or

[Expert@MyGW:0]# fw ctl set str <Name of String Kernel Parameter> ""

Example:

[Expert@MyGW:0]# fw ctl set str debug_filter_saddr_ip ''

Set operation succeeded

[Expert@MyGW:0]#

4

Make sure the value is cleared (the new value is empty):

fw ctl get str <Name of String Kernel Parameter>

Example:

[Expert@MyGW:0]# fw ctl get str debug_filter_saddr_ip

debug_filter_saddr_ip = ''

[Expert@MyGW:0]#

To set a value for a Firewall kernel parameter permanently:

To make a kernel parameter configuration permanent (to survive reboot), you must edit one of the applicable configuration files:

The exact instructions are provided in various SK articles in Support Center, and provided by Check Point Support.

Step

Description

1

Connect to the command line on your Security Gateway.

2

Log in to the Expert mode.

3

See if the configuration file already exists:

[Expert@MyGW:0]# ls -l $FWDIR/modules/fwkern.conf

or

[Expert@MyGW:0]# ls -l $FWDIR/modules/vpnkern.conf

4

If this file already exists, skip to Step 5.

If this file does not exist, then create it manually and then skip to Step 6:

[Expert@MyGW:0]# touch $FWDIR/modules/fwkern.conf

or

[Expert@MyGW:0]# touch $FWDIR/modules/vpnkern.conf

5

Back up the current configuration file:

[Expert@MyGW:0]# cp -v $FWDIR/modules/fwkern.conf{,_BKP}

or

[Expert@MyGW:0]# cp -v $FWDIR/modules/vpnkern.conf{,_BKP}

6

Edit the current configuration file:

[Expert@MyGW:0]# vi $FWDIR/modules/fwkern.conf

or

[Expert@MyGW:0]# vi $FWDIR/modules/vpnkern.conf

7

Add the required Firewall kernel parameter with the assigned value in the exact format specified below.

Important - These configuration files do not support space characters, tabulation characters, and comments (lines that contain the # character).

  • To add an integer kernel parameter:

    <Name_of_Integer_Kernel_Parameter>=<Integer_Value>

  • To add a string kernel parameter:

    <Name_of_String_Kernel_Parameter>='<String_Text>'

    or

    <Name_of_String_Kernel_Parameter>="<String_Text>"

8

Save the changes in the file and exit from the Vi editor.

9

Reboot the Security Gateway.

Important - In cluster, this can cause a failover.

10

Connect to the command line on your Security Gateway.

11

Log in to Gaia Clish or the Expert mode.

12

Make sure the new value of the kernel parameter is set:

  • For an integer kernel parameter, run:

    fw ctl get int <Name of Integer Kernel Parameter> [-a]

  • For a string kernel parameter, run:

    fw ctl get str <Name of String Kernel Parameter> [-a]

For more information, see sk26202: Changing the kernel global parameters for Check Point Security Gateway.