fwm unload

Description

Unloads the policy from the specified managed Security Gateways or Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members.

Warning:

The fwm unload command prevents all traffic from passing through the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. (Cluster Member Security Gateway that is part of a cluster.), because it disables the IP Forwarding Process of transferring of an incoming traffic from one Cluster Member to another Cluster Member for processing. There are two types of forwarding the incoming traffic between Cluster Members - Packet forwarding and Chain forwarding. For more information, see "Forwarding Layer in Cluster" and "ARP Forwarding". in the Linux kernel on the specified Security Gateway (Cluster Member).
The fwm unload command removes all policies from the specified Security Gateway (Cluster Member).

This means that the Security Gateway (Cluster Member) accepts all incoming connections destined to all active State of a Cluster Member that is fully operational: (1) In ClusterXL, this applies to the state of the Security Gateway component (2) In 3rd-party / OPSEC cluster, this applies to the state of the cluster State Synchronization mechanism. interfaces without any filtering or protection enabled.

Notes:

On a Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., you must run this command in the context of the applicable Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.:

mdsenv <IP Address or Name of Domain Management Server>

If it is necessary to remove the current policy, but keep the Security Gateway (Cluster Member) protected, then run the comp_init_policy command on the Security Gateway (Cluster Member).
To load the policies on the Security Gateway (Cluster Member), run one of these commands on the Security Gateway (Cluster Member), or reboot:
- fw fetch
- cpstart
In addition, see the fw unloadlocal command.

Syntax

fwm [-d] unload <GW1> <GW2> ... <GWN>

Parameters

Parameter

Description

-d

Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or use the script command to save the entire CLI session.

For complete debug instructions, see the description of the fwm process in sk97638.

<GW1> <GW2> ... <GWN>

Specifies the managed Security Gateways by their main IP address or Object Name as configured in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

Example

[Expert@MyGW:0]# cpstat -f policy fw
 
Product name: Firewall
Policy name: CXL_Policy
Policy install time: Wed Oct 23 18:23:14 2019
... ... ...
[Expert@MyGW:0]#
 
 
[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge
net.ipv6.conf.bond0.forwarding = 1
net.ipv6.conf.eth1.forwarding = 1
net.ipv6.conf.eth3.forwarding = 1
net.ipv6.conf.eth2.forwarding = 1
net.ipv6.conf.eth4.forwarding = 1
net.ipv6.conf.eth5.forwarding = 1
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth6.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.lo.forwarding = 1
net.ipv4.conf.bond0.mc_forwarding = 0
net.ipv4.conf.bond0.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth2.mc_forwarding = 0
net.ipv4.conf.eth2.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
[Expert@MyGW:0]#
 
 
[Expert@MGMT:0]# fwm unload MyGW
 
Uninstalling Policy From: MyGW
 
 Security Policy successfully uninstalled from MyGW...
 
Security Policy uninstall complete.
 
[Expert@MGMT:0]#

[Expert@MyGW:0]# cpstat -f policy fw
 
Product name: Firewall
Policy name:
Policy install time:
... ... ...
[Expert@MyGW:0]#
 
 
[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge
net.ipv6.conf.bond0.forwarding = 0
net.ipv6.conf.eth1.forwarding = 0
net.ipv6.conf.eth3.forwarding = 0
net.ipv6.conf.eth2.forwarding = 0
net.ipv6.conf.eth4.forwarding = 0
net.ipv6.conf.eth5.forwarding = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth6.forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv4.conf.bond0.mc_forwarding = 0
net.ipv4.conf.bond0.forwarding = 0
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 0
net.ipv4.conf.eth2.mc_forwarding = 0
net.ipv4.conf.eth2.forwarding = 0
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 0
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 0
[Expert@MyGW:0]#