FireWall Kernel Parameters

To change the internal default behavior of Firewall or to configure special advanced settings for Firewall, you can use Firewall kernel parameters.

The names of applicable Firewall kernel parameters and their values appear in various SK articles in Support Center, and provided by Check Point Support.

Important

The names of Firewall kernel parameters are case-sensitive.
You can configure most of the Firewall kernel parameters on-the-fly with the g_fw ctl set command.
This change does not survive a reboot.
You can configure some of the Firewall kernel parameters only permanently in the special configuration file ($FWDIR/modules/fwkern.conf or $FWDIR/modules/vpnkern.conf).
This requires a maintenance window, because the new values of the kernel parameters take effect only after a reboot.
In a Cluster, you must always configure all the Cluster Members in the same way.

Examples of Firewall kernel parameters

Type	Name
Integer	`fw_allow_simultaneous_ping` `fw_kdprintf_limit` `fw_log_bufsize` `send_buf_limit`
String	`simple_debug_filter_addr_1` `simple_debug_filter_daddr_1` `simple_debug_filter_vpn_1` `ws_debug_ip_str` `fw_lsp_pair1`

Type

Name

Integer

fw_allow_simultaneous_ping

fw_kdprintf_limit

fw_log_bufsize

send_buf_limit

String

simple_debug_filter_addr_1

simple_debug_filter_daddr_1

simple_debug_filter_vpn_1

ws_debug_ip_str

fw_lsp_pair1

To see the list of the available Firewall integer kernel parameters and their values:

Step	Description
1	Connect to the command line on a Security Group member.
2	Log in to the Expert mode.
3	Get the list of the available integer kernel parameters and their values: `[Expert@MyGW:0]# modinfo -p $FWDIR/modules/fw_kern*.o \| sort -u \| grep _type \| awk 'BEGIN {FS=":"} ; {print $1}' \| xargs -n 1 g_fw ctl get int 1>> /var/log/fw_integer_kernel_parameters.txt 2>> /var/log/fw_integer_kernel_parameters.txt`
4	Analyze the output file: `/var/log/fw_integer_kernel_parameters.txt`

To see the list of the available Firewall string kernel parameters and their values:

Step	Description
1	Connect to the command line on a Security Group member.
2	Log in to the Expert mode.
3	Get the list of the available integer kernel parameters and their values: `[Expert@MyGW:0]# modinfo -p $FWDIR/modules/fw_kern*.o \| sort -u \| grep 'string param' \| awk 'BEGIN {FS=":"} ; {print $1}' \| xargs -n 1 g_fw ctl get str 1>> /var/log/fw_string_kernel_parameters.txt 2>> /var/log/fw_string_kernel_parameters.txt`
4	Analyze the output file: `/var/log/fw_string_kernel_parameters.txt`

To check the current value of a Firewall integer kernel parameter:

Step

Description

Connect to the command line on a Security Group member.

Check the current value of an integer kernel parameter:

g_fw ctl get int <Name of Integer Kernel Parameter> [-a]

Example:

[Expert@MyGW:0]# g_fw ctl get int send_buf_limit

send_buf_limit = 80

[Expert@MyGW:0]#

To check the current value of a Firewall string kernel parameter:

Step

Description

Connect to the command line on a Security Group member.

Check the current value of a string kernel parameter:

g_fw ctl get str <Name of String Kernel Parameter> [-a]

Example:

[Expert@MyGW:0]# g_fw ctl get str fileapp_default_encoding_charset

fileapp_default_encoding_charset = 'UTF-8'

[Expert@MyGW:0]#

To set a value for a Firewall integer kernel parameter temporarily:

Important - This change does not survive reboot.

Step	Description
1	Connect to the command line on a Security Group member.
2	Log in to the Expert mode.
3	Set the new value for an integer kernel parameter: `g_fw ctl set int <`Name of Integer Kernel Parameter`>` <Integer Value> Example: [Expert@MyGW:0]# g_fw ctl set int send_buf_limit 100 Set operation succeeded [Expert@MyGW:0]#
4	Make sure the new value is set: `g_fw ctl get int <`Name of Integer Kernel Parameter`>` Example: [Expert@MyGW:0]# g_fw ctl get int send_buf_limit send_buf_limit = 100 [Expert@MyGW:0]#

To set a value for a Firewall string kernel parameter temporarily:

Important - This change does not survive reboot.

Step	Description
1	Connect to the command line on a Security Group member.
2	Log in to the Expert mode.
3	Set the new value for a string kernel parameter: Note - You must write the value in single quotes, or double-quotes. `[Expert@MyGW:0]# g_fw ctl set str <`Name of String Kernel Parameter`>` '<String Text>' or `[Expert@MyGW:0]# g_fw ctl set str <`Name of String Kernel Parameter`>` "<String Text>" Example: [Expert@MyGW:0]# g_fw ctl set str debug_filter_saddr_ip '1.1.1.1' Set operation succeeded [Expert@MyGW:0]#
4	Make sure the new value is set: `g_fw ctl get str <`Name of String Kernel Parameter`>` Example: [Expert@MyGW:0]# g_fw ctl get str debug_filter_saddr_ip debug_filter_saddr_ip = '1.1.1.1' [Expert@MyGW:0]#

To clear the current value from a Firewall string kernel parameter temporarily:

Important - This change does not survive reboot.

Step	Description
1	Connect to the command line on a Security Group member.
2	Log in to the Expert mode.
3	Clear the current value from a string kernel parameter: Note - You must set an empty value in single quotes, or double-quotes. `[Expert@MyGW:0]# g_fw ctl set str <`Name of String Kernel Parameter`>` '' or `[Expert@MyGW:0]# g_fw ctl set str <`Name of String Kernel Parameter`>` "" Example: [Expert@MyGW:0]# g_fw ctl set str debug_filter_saddr_ip '' Set operation succeeded [Expert@MyGW:0]#
4	Make sure the value is cleared (the new value is empty): `g_fw ctl get str <`Name of String Kernel Parameter`>` Example: [Expert@MyGW:0]# g_fw ctl get str debug_filter_saddr_ip debug_filter_saddr_ip = '' [Expert@MyGW:0]#

To set a value for a Firewall kernel parameter permanently:

To make a kernel parameter configuration permanent (to survive reboot), you must edit one of the applicable configuration files:

$FWDIR/modules/fwkern.conf
$FWDIR/modules/vpnkern.conf

The exact instructions are provided in various SK articles in Support Center, and provided by Check Point Support.

Step	Description
1	Connect to the command line on a Security Group member.
2	Log in to the Expert mode.
3	Set the required Firewall kernel parameter with the assigned value in the exact format specified below. Important - These configuration files do not support space characters, tabulation characters, and comments (lines that contain the # character). To add an integer kernel parameter: `[Expert@MyGW:0]# g_update_conf_file fwkern.conf <Name_of_Integer_Kernel_Parameter>=<Integer_Value>` To add a string kernel parameter: `[Expert@MyGW:0]# g_update_conf_file fwkern.conf <Name_of_String_Kernel_Parameter>='<String_Text>'` or `[Expert@MyGW:0]# g_update_conf_file fwkern.conf <Name_of_String_Kernel_Parameter>="<String_Text>"`
4	Reboot the Security Group members.
5	Connect to the command line on a Security Group member.
6	Log in to Gaia Clish or the Expert mode.
7	Make sure the new value of the kernel parameter is set: For an integer kernel parameter, run: `g_fw ctl get int <`Name of Integer Kernel Parameter`> [-a]` For a string kernel parameter, run: `g_fw ctl get str <`Name of String Kernel Parameter`> [-a]`