Managing Ethernet Protocols

It is possible to configure a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. with bridge interface to allow or drop protocols that are not based on IP that pass through the bridge interface. For example, protocols that are not IPv4, IPv6, or ARP.

By default, these protocols are allowed by the Security Gateway.

Frames for protocols that are not IPv4, IPv6, or ARP are allowed if:

To configure the Security Gateway to accept only specific protocols that are not IPv4, IPv6, or ARP:

Step

Instructions

1

On the Security Gateway, configure the value of the kernel parameter fwaccept_unknown_protocol to 0.

Important - In a ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.

  1. Connect to the command line on the Security Gateway.

  2. Log in to the Expert mode.

  3. Back up the current $FWDIR/boot/modules/fwkern.conf file:

    cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}

  4. Edit the current $FWDIR/boot/modules/fwkern.conf file:

    vi $FWDIR/boot/modules/fwkern.conf

  5. Add this line (spaces or comments are not allowed):

    fwaccept_unknown_protocol=0

  6. Save the changes in the file and exit the editor.

  7. Reboot the Security Gateway.

    If the reboot is not possible at this time, then:

    • Run this command to make the required change:

      fw ctl set int fwaccept_unknown_protocol 0

    • Run this command to make sure the required change was accepted:

      fw ctl get int fwaccept_unknown_protocol

2

On the Management Server, edit the applicable user.def file.

Note - For the list of user.def files, see sk98239.

  1. Back up the current applicable user.def file.

  2. Edit the current applicable user.def file.

  3. Add these directives:

    • allowed_ethernet_protocols - contains the EtherType numbers (in Hex) of protocols to accept

    • dropped_ethernet_protocols - contains the EtherType numbers (in Hex) of protocols to drop

    $ifndef __user_def__
$define __user_def__
  
\\ 
\\ User defined INSPECT code
\\ 
  
allowed_ethernet_protocols={ <0x0800,0x86DD,0x0806>);
dropped_ethernet_protocols={ <0x8137,0x8847,0x9100> );
  
endif /*__user_def__*/

    For the list of EtherType numbers, see http://standards-oui.ieee.org/ethertype/eth.csv.

  4. Save the changes in the file and exit the editor.

3

In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., install the Access Control Policy on this Security Gateway object.