SecureXL Kernel Parameters

To change the internal default behavior of SecureXLClosed Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. or to configure special advanced settings for SecureXL, you can use SecureXL kernel parameters.

The names of applicable SecureXL kernel parameters and their values appear in various SK articles in Check Point Support Center, and provided by Check Point Support.

Important:

Type

Name

Integer

num_of_sxl_devices

sim_ipsec_dont_fragment

tcp_always_keepalive

sim_log_all_frags

simple_debug_filter_dport_1

simple_debug_filter_proto_1

String

simple_debug_filter_addr_1

simple_debug_filter_daddr_2

simlinux_excluded_ifs_list

Working with Integer Kernel Parameters

Step

Instructions

1

Connect to the command line on your Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / each Cluster MemberClosed Security Gateway that is part of a cluster..

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

2

Log in to the Expert mode.

3

Make sure you can get the list of the available integer kernel parameters and their values without errors:

Note - The configuration of your Security Gateway might not support all kernel parameters. As a result, the Security Gateway might fail to get the value of some kernel parameters.

modinfo -p $PPKDIR/boot/modules/sim_kern*.o | sort -u | grep ':int param' | awk 'BEGIN {FS=":"} ; {print $1}' | xargs -n 1 fw ctl get int

4

If in the previous step there were no errors, get the list of the available integer kernel parameters and their values, and save the list to a file:

modinfo -p $PPKDIR/boot/modules/sim_kern*.o | sort -u | grep ':int param' | awk 'BEGIN {FS=":"} ; {print $1}' | xargs -n 1 fw ctl get int 1>> /var/log/sxl_integer_kernel_parameters.txt 2>> /var/log/sxl_integer_kernel_parameters.txt

5

Analyze the output file:

/var/log/sxl_integer_kernel_parameters.txt

Step

Instructions

1

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

2

Log in to Gaia ClishClosed The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). or the Expert mode.

Note - On Scalable Platforms (Maestro and Chassis), you must use Gaia gClishClosed The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators and for Security Gateway Modules on Scalable Chassis. Commands you run in this shell apply to all Security Gateway Module / Security Appliances in the Security Group. or the Expert mode.

3

Get the current value of an integer kernel parameter:

Example:

[Expert@MyGW:0]# fw ctl get int sim_ipsec_dont_fragment

sim_ipsec_dont_fragment = 1

[Expert@MyGW:0]#

Important - This change does not survive reboot.

Step

Instructions

1

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

2

Log in to Gaia Clish or the Expert mode.

Note - On Scalable Platforms (Maestro and Chassis), you must use Gaia gClish or the Expert mode.

3

Configure the new value for an integer kernel parameter:

  • On a Security Gateway / each Cluster Member, run in Gaia Clish or the Expert mode:

    fw ctl set int <Name of Integer Kernel Parameter> <Integer Value>

  • On a Scalable Platform Security Group, run in Gaia gClish:

    fw ctl set int <Name of Integer Kernel Parameter> <Integer Value>

  • On a Scalable Platform Security Group, run in the Expert mode:

    g_fw ctl set int <Name of Integer Kernel Parameter> <Integer Value>

Example:

[Expert@MyGW:0]# fw ctl set int sim_ipsec_dont_fragment 0

Set operation succeeded

[Expert@MyGW:0]#

4

Make sure the new value is configured.

  • On a Security Gateway / each Cluster Member, run in Gaia Clish or the Expert mode:

    fw ctl get int <Name of Integer Kernel Parameter>

  • On a Scalable Platform Security Group, run in Gaia gClish:

    fw ctl get int <Name of Integer Kernel Parameter>

  • On a Scalable Platform Security Group, run in the Expert mode:

    g_fw ctl get int <Name of Integer Kernel Parameter>

Example:

[Expert@MyGW:0]# fw ctl get int sim_ipsec_dont_fragment

sim_ipsec_dont_fragment = 0

[Expert@MyGW:0]#

Step

Instructions

1

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

2

Log in to the Expert mode.

3

See if the configuration file already exists.

  • On a Security Gateway / each Cluster Member, run:

    ls -l $PPKDIR/conf/simkern.conf

  • On a Scalable Platform Security Group, run:

    g_ls -l $PPKDIR/conf/simkern.conf

4

If this file already exists, skip to Step 5.

If this file does not exist, then create it manually and then skip to Step 6:

  • On a Security Gateway / each Cluster Member, run:

    touch $PPKDIR/conf/simkern.conf

  • On a Scalable Platform Security Group, run:

    g_all touch $PPKDIR/conf/simkern.conf

5

Back up the current configuration file.

  • On a Security Gateway / each Cluster Member, run:

    cp -v $PPKDIR/conf/simkern.conf{,_BKP}

  • On a Scalable Platform Security Group, run:

    g_cp -v $PPKDIR/conf/simkern.conf{,_BKP}

6

Edit the current configuration file.

The same syntax applies to the Security Gateway / each Cluster Member and the Scalable Platform Security Group:

vi $PPKDIR/conf/simkern.conf

7

Add the required SecureXL kernel parameter with the assigned value in the exact format specified below.

Important - This configuration file does not support space characters, tabulation characters, and comments (lines that contain the # character).

<Name_of_SecureXL_Integer_Kernel_Parameter>=<Integer_Value>

8

Save the changes in the file and exit the editor.

9

Reboot.

  • On the Security Gateway / Cluster Member, run:

    reboot

    Important - In cluster, this can cause a failover.

  • On the Scalable Platform Security Group, run:

    g_reboot -a

10

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

11

Log in to Gaia Clish or the Expert mode.

Note - On Scalable Platforms (Maestro and Chassis), you must use Gaia gClish or the Expert mode.

12

Make sure the new value of the kernel parameter is configured.

  • On a Security Gateway / each Cluster Member, run in Gaia Clish or the Expert mode:

    fw ctl get int <Name of Integer Kernel Parameter> [-a]

  • On a Scalable Platform Security Group, run in Gaia gClish:

    fw ctl get int <Name of Integer Kernel Parameter> [-a]

  • On a Scalable Platform Security Group, run in the Expert mode:

    g_fw ctl get int <Name of Integer Kernel Parameter> [-a]

Working with String Kernel Parameters

Step

Instructions

1

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

2

Log in to the Expert mode.

3

Make sure you can get the list of the available integer kernel parameters and their values without errors:

Note - The configuration of your Security Gateway might not support all kernel parameters. As a result, the Security Gateway might fail to get the value of some kernel parameters.

modinfo -p $PPKDIR/boot/modules/sim_kern*.o | sort -u | grep ':string param' | awk 'BEGIN {FS=":"} ; {print $1}' | xargs -n 1 fw ctl get str

4

If in the previous step there were no errors, get the list of the available string kernel parameters and their values, and save the list to a file:

modinfo -p $PPKDIR/boot/modules/sim_kern*.o | sort -u | grep ':string param' | awk 'BEGIN {FS=":"} ; {print $1}' | xargs -n 1 fw ctl get str 1>> /var/log/sxl_string_kernel_parameters.txt 2>> /var/log/sxl_string_kernel_parameters.txt

5

Analyze the output file:

/var/log/sxl_string_kernel_parameters.txt

Step

Instructions

1

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

2

Log in to Gaia Clish or the Expert mode.

Note - On Scalable Platforms (Maestro and Chassis), you must use Gaia gClish or the Expert mode.

3

Get the current value of an integer kernel parameter:

  • On the Security Gateway / each Cluster Member, run in Gaia Clish or the Expert mode:

    fw ctl get str <Name of Integer Kernel Parameter> [-a]

  • On the Scalable Platform Security Group, run in Gaia gClish:

    fw ctl get str <Name of Integer Kernel Parameter> [-a]

  • On the Scalable Platform Security Group, run in the Expert mode:

    g_fw ctl get str <Name of Integer Kernel Parameter> [-a]

Example:

[Expert@MyGW:0]# fw ctl get str fwkdebug_print_connkey_on_str

fwkdebug_print_connkey_on_str = ''

[Expert@MyGW:0]#

Important - This change does not survive reboot.

Step

Instructions

1

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

2

Log in to Gaia Clish or the Expert mode.

Note - On Scalable Platforms (Maestro and Chassis), you must use Gaia gClish or the Expert mode.

3

Configure the new value for a string kernel parameter.

Note - You must write the value in single quotes, or double quotes. Use one of these syntax options.

  • On a Security Gateway / each Cluster Member, run in Gaia Clish or the Expert mode:

    fw ctl set str <Name of String Kernel Parameter> '<String Text>'

    or

    fw ctl set str <Name of String Kernel Parameter> "<String Text>"

  • On a Scalable Platform Security Group, run in Gaia gClish:

    fw ctl set str <Name of String Kernel Parameter> '<String Text>'

    or

    fw ctl set str <Name of String Kernel Parameter> "<String Text>"

  • On a Scalable Platform Security Group, run in the Expert mode:

    g_fw ctl set str <Name of String Kernel Parameter> '<String Text>'

    or

    g_fw ctl set str <Name of String Kernel Parameter> "<String Text>"

Example:

[Expert@MyGW:0]# fw ctl set str fwkdebug_print_connkey_on_str 'Packet accepted'

Set operation succeeded

[Expert@MyGW:0]#

4

Make sure the new value is configured.

  • On a Security Gateway / each Cluster Member, run in Gaia Clish or the Expert mode:

    fw ctl get str <Name of String Kernel Parameter>

  • On a Scalable Platform Security Group, run in Gaia gClish:

    fw ctl get str <Name of String Kernel Parameter>

  • On a Scalable Platform Security Group, run in the Expert mode:

    g_fw ctl get str <Name of String Kernel Parameter>

Example:

[Expert@MyGW:0]# fw ctl get str fwkdebug_print_connkey_on_str

fwkdebug_print_connkey_on_str = 'Packet accepted'

[Expert@MyGW:0]#

Step

Instructions

1

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

2

Log in to the Expert mode.

3

See if the configuration file already exists.

  • On a Security Gateway / each Cluster Member, run:

    ls -l $PPKDIR/conf/simkern.conf

  • On a Scalable Platform Security Group, run:

    g_ls -l $PPKDIR/conf/simkern.conf

4

If this file already exists, skip to Step 5.

If this file does not exist, then create it manually and then skip to Step 6:

  • On a Security Gateway / each Cluster Member, run:

    touch $PPKDIR/conf/simkern.conf

  • On a Scalable Platform Security Group, run:

    g_all touch $PPKDIR/conf/simkern.conf

5

Back up the current configuration file.

  • On a Security Gateway / each Cluster Member, run:

    cp -v $PPKDIR/conf/simkern.conf{,_BKP}

  • On a Scalable Platform Security Group, run:

    g_cp -v $PPKDIR/conf/simkern.conf{,_BKP}

6

Edit the current configuration file.

The same syntax applies to the Security Gateway / each Cluster Member and the Scalable Platform Security Group:

vi $PPKDIR/conf/simkern.conf

7

Add the required SecureXL kernel parameter with the assigned value in the exact format specified below.

Important - This configuration file does not support space characters, tabulation characters, and comments (lines that contain the # character).

Note - You must write the value in single quotes, or double quotes. Use one of these syntax options.

<Name_of_SecureXL_String_Kernel_Parameter>='<String_Text>'

or

<Name_of_SecureXL_String_Kernel_Parameter>="<String_Text>"

8

Save the changes in the file and exit the editor.

9

Reboot.

  • On the Security Gateway / Cluster Member, run:

    reboot

    Important - In cluster, this can cause a failover.

  • On the Scalable Platform Security Group, run:

    g_reboot -a

10

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

11

Log in to Gaia Clish or the Expert mode.

Note - On Scalable Platforms (Maestro and Chassis), you must use Gaia gClish or the Expert mode.

12

Make sure the new value of the kernel parameter is configured.

  • On a Security Gateway / each Cluster Member, run in Gaia Clish or the Expert mode:

    fw ctl get str <Name of String Kernel Parameter> [-a]

  • On a Scalable Platform Security Group, run in Gaia gClish:

    fw ctl get str <Name of String Kernel Parameter> [-a]

  • On a Scalable Platform Security Group, run in the Expert mode:

    g_fw ctl get str <Name of String Kernel Parameter> [-a]