Managing Ethernet Protocols

It is possible to configure a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. with bridge interface to allow or drop protocols that are not based on IP that pass through the bridge interface. For example, protocols that are not IPv4, IPv6, or ARP.

By default, these protocols are allowed by the Security Gateway.

Frames for protocols that are not IPv4, IPv6, or ARP are allowed if:

To configure the Security Group to accept only specific protocols that are not IPv4, IPv6, or ARP:

Step

Instructions

1

On the Security GroupClosed A logical group of Security Gateway Modules that provides Active/Active cluster functionality. A Security Group can contain one or more Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway., configure the value of the kernel parameter fwaccept_unknown_protocol to 0.

  1. Connect to the command line on the Security Group.

  2. Log in to the Expert mode.

  3. Configure the value of the kernel parameter fwaccept_unknown_protocol to 0:

    g_update_conf_file fwkern.conf fwaccept_unknown_protocol=0

  4. Reboot the Security Group.

    If the reboot is not possible at this time, then:

    • Run this command to make the required change:

      g_fw ctl set int fwaccept_unknown_protocol 0

    • Run this command to make sure the required change was accepted:

      g_fw ctl get int fwaccept_unknown_protocol

2

On the Management Server, edit the applicable user.def file.

Note - For the list of user.def files, see sk98239.

  1. Back up the current applicable user.def file.

  2. Edit the current applicable user.def file.

  3. Add these directives:

    • allowed_ethernet_protocols - contains the EtherType numbers (in Hex) of protocols to accept

    • dropped_ethernet_protocols - contains the EtherType numbers (in Hex) of protocols to drop

    $ifndef __user_def__
$define __user_def__
  
\\ 
\\ User defined INSPECT code
\\ 
  
allowed_ethernet_protocols={ <0x0800,0x86DD,0x0806>);
dropped_ethernet_protocols={ <0x8137,0x8847,0x9100> );
  
endif /*__user_def__*/

    For the list of EtherType numbers, see http://standards-oui.ieee.org/ethertype/eth.csv.

  4. Save the changes in the file and exit the editor.

3

In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., install the Access Control Policy on the Security Gateway object.