Firewall Kernel Parameters

To change the internal default behavior of Firewall or to configure special advanced settings for Firewall, you can use Firewall kernel parameters.

The names of applicable Firewall kernel parameters and their values appear in various SK articles in Check Point Support Center, and provided by Check Point Support.

Important:

The names of Firewall kernel parameters are case-sensitive.
You can configure most of the Firewall kernel parameters on-the-fly with the "fw ctl set" command.

This change does not survive a reboot.

You can use the "fw ctl set -f" command to make this change permanent as well.
You can configure some of the Firewall kernel parameters only permanently in the special configuration file $FWDIR/boot/modules/fwkern.conf command.

This requires a maintenance window, because the new values of the kernel parameters take effect only after a reboot.
You can configure some of the Firewall kernel parameters only permanently in the special configuration files - $FWDIR/boot/modules/fwkern.conf or $FWDIR/boot/modules/vpnkern.conf.

You must manually edit these files.

This requires a maintenance window, because the new values of the kernel parameters take effect only after a reboot.
In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.
On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected..

Examples of Firewall kernel parameters

Type	Name
Integer	`fw_allow_simultaneous_ping` `fw_kdprintf_limit` `fw_log_bufsize` `send_buf_limit`
String	`simple_debug_filter_addr_1` `simple_debug_filter_daddr_1` `simple_debug_filter_vpn_1` `ws_debug_ip_str` `fw_lsp_pair1`

Type

Name

Integer

fw_allow_simultaneous_ping

fw_kdprintf_limit

fw_log_bufsize

send_buf_limit

String

simple_debug_filter_addr_1

simple_debug_filter_daddr_1

simple_debug_filter_vpn_1

ws_debug_ip_str

fw_lsp_pair1

Working with Integer Kernel Parameters

Viewing the list of the available Firewall integer kernel parameters and their values

Step

Instructions

Connect to the command line on your Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / each Cluster Member Security Gateway that is part of a cluster..

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

Make sure you can get the list of the available integer kernel parameters and their values without errors:

Note - The configuration of your Security Gateway might not support all kernel parameters. As a result, the Security Gateway might fail to get the value of some kernel parameters.

modinfo -p $FWDIR/boot/modules/fw_kern*.o | sort -u | grep ':int param' | awk 'BEGIN {FS=":"} ; {print $1}' | xargs -n 1 fw ctl get int

If in the previous step there were no errors, get the list of the available integer kernel parameters and their values, and save the list to a file:

modinfo -p $FWDIR/boot/modules/fw_kern*.o | sort -u | grep ':int param' | awk 'BEGIN {FS=":"} ; {print $1}' | xargs -n 1 fw ctl get int 1>> /var/log/fw_integer_kernel_parameters.txt 2>> /var/log/fw_integer_kernel_parameters.txt

Analyze the output file:

/var/log/fw_integer_kernel_parameters.txt

Viewing the current value of a Firewall integer kernel parameter

Step

Instructions

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

Log in to Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). or the Expert mode.

Note - On Scalable Platforms (Maestro and Chassis), you must use Gaia gClish The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators and for Security Gateway Modules on Scalable Chassis. Commands you run in this shell apply to all Security Gateway Module / Security Appliances in the Security Group. or the Expert mode.

Get the current value of an integer kernel parameter:

On the Security Gateway / each Cluster Member, run in Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Clish or the Expert mode:

fw ctl get int <Name of Integer Kernel Parameter> [-a]

On the Scalable Platform Security Group, run in Gaia gClish:

fw ctl get int <Name of Integer Kernel Parameter> [-a]

On the Scalable Platform Security Group, run in the Expert mode:

g_fw ctl get int <Name of Integer Kernel Parameter> [-a]

Example:

[Expert@MyGW:0]# fw ctl get int send_buf_limit
send_buf_limit = 80
[Expert@MyGW:0]#

Configuring a value for a Firewall integer kernel parameter temporarily

Important - This change does not survive reboot.

Step

Instructions

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

Note - On Scalable Platforms (Maestro and Chassis), you must use Gaia gClish or the Expert mode.

Configure the new value for an integer kernel parameter:

On a Security Gateway / each Cluster Member, run in Gaia Clish or the Expert mode:

fw ctl set int <Name of Integer Kernel Parameter> <Integer Value>

On a Scalable Platform Security Group, run in Gaia gClish:

fw ctl set int <Name of Integer Kernel Parameter> <Integer Value>

On a Scalable Platform Security Group, run in the Expert mode:

g_fw ctl set int <Name of Integer Kernel Parameter> <Integer Value>

Example:

[Expert@MyGW:0]# fw ctl set int send_buf_limit 100
Set operation succeeded
[Expert@MyGW:0]#

Make sure the new value is configured.

On a Security Gateway / each Cluster Member, run in Gaia Clish or the Expert mode:

fw ctl get int <Name of Integer Kernel Parameter>

On a Scalable Platform Security Group, run in Gaia gClish:

fw ctl get int <Name of Integer Kernel Parameter>

On a Scalable Platform Security Group, run in the Expert mode:

g_fw ctl get int <Name of Integer Kernel Parameter>

Example:

[Expert@MyGW:0]# fw ctl get int send_buf_limit
send_buf_limit = 100
[Expert@MyGW:0]#

Configuring a value for a Firewall integer kernel parameter permanently

To make a kernel parameter configuration permanent (to survive reboot), you must edit one of the applicable configuration files:

For Firewall kernel parameters:

$FWDIR/boot/modules/fwkern.conf
For VPN kernel parameters:

$FWDIR/boot/modules/vpnkern.conf

The exact parameters appear in various SK articles in Check Point Support Center, and provided by Check Point Support.

Short procedure for the "fwkern.conf" file

Step

Instructions

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

Back up the current configuration file, if it exists:

On the Security Gateway (each Cluster Member), run:

cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}

On the Scalable Platform Security Group, run:

g_cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}

Configure the required Firewall kernel parameter with the assigned value in the exact format specified below.

On the Security Gateway (each Cluster Member), run:

fw ctl set -f int <Name_of_Integer_Kernel_Parameter> <Integer_Value>

On the Scalable Platform Security Group, run one of these commands:

g_fw ctl set -f int <Name_of_Integer_Kernel_Parameter> <Integer_Value>

g_update_conf_file fwkern.conf <Name_of_Integer_Kernel_Parameter>=<Integer_Value>

Example:

[Expert@MyGW:0]# fw ctl set -f int send_buf_limit 100
"fwkern.conf" was updated successfully
[Expert@MyGW:0]#

[Expert@MyGW:0]# g_update_conf_file fwkern.conf send_buf_limit=100
"fwkern.conf" was updated successfully
[Expert@MyGW:0]#

Examine the configuration file.

On the Security Gateway (each Cluster Member), run:

cat $FWDIR/boot/modules/fwkern.conf

On the Scalable Platform Security Group, run:

g_cat $FWDIR/boot/modules/fwkern.conf

Reboot.

On the Security Gateway / Cluster Member, run:

reboot

Important - In cluster, this can cause a failover.

On the Scalable Platform Security Group, run:

g_reboot -a

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

Note - On Scalable Platforms (Maestro and Chassis), you must use Gaia gClish or the Expert mode.

Make sure the new value of the kernel parameter is configured.

On a Security Gateway / each Cluster Member, run:

fw ctl get int <Name of Integer Kernel Parameter> [-a]

On a Scalable Platform Security Group, run:

g_fw ctl get int <Name of Integer Kernel Parameter> [-a]

Long procedure for the "fwkern.conf" and "vpnkern.conf" files

For more information, see sk26202: Changing the kernel global parameters for Check Point Security Gateway.

Step

Instructions

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

See if the configuration file already exists.

On a Security Gateway / each Cluster Member:

For Firewall kernel parameters, run:

ls -l $FWDIR/boot/modules/fwkern.conf

For VPN kernel parameters, run:

ls -l $FWDIR/boot/modules/vpnkern.conf

On a Scalable Platform Security Group:

For Firewall kernel parameters, run:

g_ls -l $FWDIR/boot/modules/fwkern.conf

For VPN kernel parameters, run:

g_ls -l $FWDIR/boot/modules/vpnkern.conf

If this file already exists, skip to Step 5.

If this file does not exist, then create it manually and then skip to Step 6.

On a Security Gateway / each Cluster Member:

For Firewall kernel parameters, run:

touch $FWDIR/boot/modules/fwkern.conf

For VPN kernel parameters, run:

touch $FWDIR/boot/modules/fwkern.conf

On a Scalable Platform Security Group:

For Firewall kernel parameters, run:

g_all touch $FWDIR/boot/modules/fwkern.conf

For VPN kernel parameters, run:

g_all touch $FWDIR/boot/modules/vpnkern.conf

Back up the current configuration file.

On a Security Gateway / each Cluster Member:

For Firewall kernel parameters, run:

cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}

For VPN kernel parameters, run:

cp -v $FWDIR/boot/modules/vpnkern.conf{,_BKP}

On a Scalable Platform Security Group:

For Firewall kernel parameters, run:

g_cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}

For VPN kernel parameters, run:

g_cp -v $FWDIR/boot/modules/vpnkern.conf{,_BKP}

Edit the current configuration file.

The same syntax applies to the Security Gateway / each Cluster Member and the Scalable Platform Security Group:

For Firewall kernel parameters, run:

vi $FWDIR/boot/modules/fwkern.conf

For VPN kernel parameters, run:

vi $FWDIR/boot/modules/vpnkern.conf

Add the required Firewall kernel parameter with the assigned value in the exact format specified below.

Important - These configuration files do not support space characters, tabulation characters, and comments (lines that contain the # character).

<Name_of_Integer_Kernel_Parameter>=<Integer_Value>

Save the changes in the file and exit the editor.

On the Scalable Platform Security Group, copy the updated configuration file to all other Security Group Members:

For Firewall kernel parameters, run:

asg_cp2blades $FWDIR/boot/modules/fwkern.conf

For VPN kernel parameters, run:

asg_cp2blades $FWDIR/boot/modules/vpnkern.conf

Reboot.

On the Security Gateway / Cluster Member, run:

reboot

Important - In cluster, this can cause a failover.

On the Scalable Platform Security Group, run:

g_reboot -a

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

Note - On Scalable Platforms (Maestro and Chassis), you must use Gaia gClish or the Expert mode.

Make sure the new value of the kernel parameter is configured.

On a Security Gateway / each Cluster Member, run in Gaia Clish or the Expert mode:

fw ctl get int <Name of Integer Kernel Parameter> [-a]

On a Scalable Platform Security Group, run in Gaia gClish:

fw ctl get int <Name of Integer Kernel Parameter> [-a]

On a Scalable Platform Security Group, run in the Expert mode:

g_fw ctl get int <Name of Integer Kernel Parameter> [-a]

Working with String Kernel Parameters

Viewing the list of the available Firewall string kernel parameters and their values

Step

Instructions

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

Make sure you can get the list of the available integer kernel parameters and their values without errors:

Note - The configuration of your Security Gateway might not support all kernel parameters. As a result, the Security Gateway might fail to get the value of some kernel parameters.

modinfo -p $FWDIR/boot/modules/fw_kern*.o | sort -u | grep ':string param' | awk 'BEGIN {FS=":"} ; {print $1}' | xargs -n 1 fw ctl get str

If in the previous step there were no errors, get the list of the available string kernel parameters and their values, and save the list to a file:

modinfo -p $FWDIR/boot/modules/fw_kern*.o | sort -u | grep ':string param' | awk 'BEGIN {FS=":"} ; {print $1}' | xargs -n 1 fw ctl get str 1>> /var/log/fw_string_kernel_parameters.txt 2>> /var/log/fw_string_kernel_parameters.txt

Analyze the output file:

/var/log/fw_string_kernel_parameters.txt

Viewing the current value of a Firewall string kernel parameter

Step

Instructions

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

Note - On Scalable Platforms (Maestro and Chassis), you must use Gaia gClish or the Expert mode.

Get the current value of a string kernel parameter:

On the Security Gateway / each Cluster Member, run in Gaia Clish or the Expert mode:

fw ctl get str <Name of String Kernel Parameter> [-a]

On the Scalable Platform Security Group, run in Gaia gClish:

fw ctl get str <Name of String Kernel Parameter> [-a]

On the Scalable Platform Security Group, run in the Expert mode:

g_fw ctl get str <Name of String Kernel Parameter> [-a]

Example:

[Expert@MyGW:0]# fw ctl get str fileapp_default_encoding_charset
fileapp_default_encoding_charset = 'UTF-8'
[Expert@MyGW:0]#

Configuring a value for a Firewall string kernel parameter temporarily

Important - This change does not survive reboot.

Step

Instructions

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

Note - On Scalable Platforms (Maestro and Chassis), you must use Gaia gClish or the Expert mode.

Configure the new value for a string kernel parameter.

Note - You must write the value in single quotes, or double quotes. Use one of these syntax options.

On a Security Gateway / each Cluster Member, run in Gaia Clish or the Expert mode:

fw ctl set str <Name of String Kernel Parameter> '<String Text>'

fw ctl set str <Name of String Kernel Parameter> "<String Text>"

On a Scalable Platform Security Group, run in Gaia gClish:

fw ctl set str <Name of String Kernel Parameter> '<String Text>'

fw ctl set str <Name of String Kernel Parameter> "<String Text>"

On a Scalable Platform Security Group, run in the Expert mode:

g_fw ctl set str <Name of String Kernel Parameter> '<String Text>'

g_fw ctl set str <Name of String Kernel Parameter> "<String Text>"

Example:

[Expert@MyGW:0]# fw ctl set str debug_filter_saddr_ip '1.1.1.1'
Set operation succeeded
[Expert@MyGW:0]#

Make sure the new value is configured.

On a Security Gateway / each Cluster Member, run in Gaia Clish or the Expert mode:

fw ctl get str <Name of String Kernel Parameter>

On a Scalable Platform Security Group, run in Gaia gClish:

fw ctl get str <Name of String Kernel Parameter>

On a Scalable Platform Security Group, run in the Expert mode:

g_fw ctl get str <Name of String Kernel Parameter>

Example:

[Expert@MyGW:0]# fw ctl get str debug_filter_saddr_ip
debug_filter_saddr_ip = '1.1.1.1'
[Expert@MyGW:0]#

Configuring a value for a Firewall string kernel parameter permanently

To make a kernel parameter configuration permanent (to survive reboot), you must edit one of the applicable configuration files:

For Firewall kernel parameters:

$FWDIR/boot/modules/fwkern.conf
For VPN kernel parameters:

$FWDIR/boot/modules/vpnkern.conf

The exact parameters appear in various SK articles in Check Point Support Center, and provided by Check Point Support.

Short procedure for the "fwkern.conf" file

Step

Instructions

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

Back up the current configuration file, if it exists:

On the Security Gateway (each Cluster Member), run:

cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}

On the Scalable Platform Security Group, run:

g_cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}

Configure the required Firewall kernel parameter with the assigned value in the exact format specified below.

Note - You must write the value in single quotes, or double quotes. Use one of these syntax options.

On a Security Gateway / each Cluster Member, run in Gaia Clish or the Expert mode:

fw ctl set -f str <Name_of_String_Kernel_Parameter> '<String_Text>'

fw ctl set -f str <Name_of_String_Kernel_Parameter> "<String_Text>"

On a Scalable Platform Security Group, run in the Expert mode:

g_fw ctl set -f str <Name_of_String_Kernel_Parameter> '<String_Text>'

g_fw ctl set -f str <Name_of_String_Kernel_Parameter> "<String_Text>"

Example:

[Expert@MyGW:0]# fw ctl set -f str ws_debug_ip_str '1.1.1.1'
"fwkern.conf" was updated successfully
[Expert@MyGW:0]#

Examine the configuration file.

On the Security Gateway / each Cluster Member, run:

cat $FWDIR/boot/modules/fwkern.conf

On the Scalable Platform Security Group, run:

g_cat $FWDIR/boot/modules/fwkern.conf

Reboot.

On the Security Gateway / Cluster Member, run:

reboot

Important - In cluster, this can cause a failover.

On the Scalable Platform Security Group, run:

g_reboot -a

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

Note - On Scalable Platforms (Maestro and Chassis), you must use Gaia gClish or the Expert mode.

Make sure the new value of the kernel parameter is configured.

On a Security Gateway / each Cluster Member, run in Gaia Clish or the Expert mode:

fw ctl get str <Name of String Kernel Parameter> [-a]

On a Scalable Platform Security Group, run in Gaia gClish:

fw ctl get str <Name of String Kernel Parameter> [-a]

On a Scalable Platform Security Group, run in the Expert mode:

g_fw ctl get str <Name of String Kernel Parameter> [-a]

Long procedure for the "fwkern.conf" and "vpnkern.conf" files

For more information, see sk26202: Changing the kernel global parameters for Check Point Security Gateway.

Step

Instructions

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

On a Security Gateway / each Cluster Member:

For Firewall kernel parameters, run:

ls -l $FWDIR/boot/modules/fwkern.conf

For VPN kernel parameters, run:

ls -l $FWDIR/boot/modules/vpnkern.conf

On a Scalable Platform Security Group:

For Firewall kernel parameters, run:

g_ls -l $FWDIR/boot/modules/fwkern.conf

For VPN kernel parameters, run:

g_ls -l $FWDIR/boot/modules/vpnkern.conf

If this file already exists, skip to Step 5.

If this file does not exist, then create it manually and then skip to Step 6.

On a Security Gateway / each Cluster Member:

For Firewall kernel parameters, run:

touch $FWDIR/boot/modules/fwkern.conf

For VPN kernel parameters, run:

touch $FWDIR/boot/modules/fwkern.conf

On a Scalable Platform Security Group:

For Firewall kernel parameters, run:

g_all touch $FWDIR/boot/modules/fwkern.conf

For VPN kernel parameters, run:

g_all touch $FWDIR/boot/modules/vpnkern.conf

Back up the current configuration file.

On a Security Gateway / each Cluster Member:

For Firewall kernel parameters, run:

cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}

For VPN kernel parameters, run:

cp -v $FWDIR/boot/modules/vpnkern.conf{,_BKP}

On a Scalable Platform Security Group:

For Firewall kernel parameters, run:

g_cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}

For VPN kernel parameters, run:

g_cp -v $FWDIR/boot/modules/vpnkern.conf{,_BKP}

Edit the current configuration file.

The same syntax applies to the Security Gateway / each Cluster Member and the Scalable Platform Security Group:

For Firewall kernel parameters, run:

vi $FWDIR/boot/modules/fwkern.conf

For VPN kernel parameters, run:

vi $FWDIR/boot/modules/vpnkern.conf

Add the required kernel parameter with the assigned value in the exact format specified below.

Important - These configuration files do not support space characters, tabulation characters, and comments (lines that contain the # character).

Note - You must write the value in single quotes, or double quotes. Use one of these syntax options.

<Name_of_String_Kernel_Parameter>='<String_Text>'

<Name_of_String_Kernel_Parameter>="<String_Text>"

Save the changes in the file and exit the editor.

On the Scalable Platform Security Group, copy the updated configuration file to all other Security Group Members:

For Firewall kernel parameters, run:

asg_cp2blades $FWDIR/boot/modules/fwkern.conf

For VPN kernel parameters, run:

asg_cp2blades $FWDIR/boot/modules/vpnkern.conf

Reboot.

On the Security Gateway / Cluster Member, run:

reboot

Important - In cluster, this can cause a failover.

On the Scalable Platform Security Group, run:

g_reboot -a

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

Note - On Scalable Platforms (Maestro and Chassis), you must use Gaia gClish or the Expert mode.

Make sure the new value of the kernel parameter is configured.

On a Security Gateway / each Cluster Member, run in Gaia Clish or the Expert mode:

fw ctl get str <Name of String Kernel Parameter> [-a]

On a Scalable Platform Security Group, run in Gaia gClish:

fw ctl get str <Name of String Kernel Parameter> [-a]

On a Scalable Platform Security Group, run in the Expert mode:

g_fw ctl get str <Name of String Kernel Parameter> [-a]

Removing the current value from a Firewall string kernel parameter temporarily

Important - This change does not survive reboot.

Step

Instructions

Connect to the command line on your Security Gateway or Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

Note - On Scalable Platforms (Maestro and Chassis), you must use Gaia gClish or the Expert mode.

Clear the current value from a string kernel parameter:

Note - You must set an empty value in single quotes, or double quotes. Use one of these syntax options.

On a Security Gateway / each Cluster Member, run in Gaia Clish or the Expert mode:

fw ctl set str '<Name of String Kernel Parameter>'

fw ctl set str "<Name of String Kernel Parameter>"

On a Scalable Platform Security Group, run in Gaia gClish:

fw ctl set str '<Name of String Kernel Parameter>'

fw ctl set str "<Name of String Kernel Parameter>"

On a Scalable Platform Security Group, run in the Expert mode:

g_fw ctl set str '<Name of String Kernel Parameter>'

g_fw ctl set str "<Name of String Kernel Parameter>"

Example:

[Expert@MyGW:0]# fw ctl set str debug_filter_saddr_ip ''
Set operation succeeded
[Expert@MyGW:0]#

Make sure the value is cleared (the new value is empty):

On a Security Gateway / each Cluster Member, run in Gaia Clish or the Expert mode:

fw ctl get str <Name of String Kernel Parameter>

On a Scalable Platform Security Group, run in Gaia gClish:

fw ctl get str <Name of String Kernel Parameter>

On a Scalable Platform Security Group, run in the Expert mode:

g_fw ctl get str <Name of String Kernel Parameter>

Example:

[Expert@MyGW:0]# fw ctl get str debug_filter_saddr_ip
debug_filter_saddr_ip = ''
[Expert@MyGW:0]#