Working with Global Parameters on a Security Gateway

Background

On a Security Gateway, Cluster Members, and Scalable Platform Security Group, you can control the default behavior of specific features by changing the values of the corresponding Check Point global parameters.

In the versions R81.20 and lower, you must configure the required values of the Check Point global parameters in various configuration files.

For example:

  • You configure the Firewall kernel parameters in the $FWDIR/boot/modules/fwkern.conf file.

  • You configure the SecureXL kernel parameters in the $PPKDIR/conf/simkern.conf file.

Starting in R82, you can view and configure the required values of the Check Point global parameters in these ways:

Configuration Method

Description and Instructions

Centralized

Database

Important:

The R82 release contains the new infrastructure.

Full support for the kernel parameters will be added gradually in the R82 Jumbo Hotfix Accumulator.

If cannot configure a kernel parameter using the new infrastructure, then use the legacy configuration files.

The information below describes the complete feature as if it already supports the configuration of kernel parameters.

Important - The centralized database has a higher priority than the legacy configuration files.

This method changes the value of the Check Point global parameters (in the current session, or permanently) in a centralized database instead of editing the legacy configuration files.

This feature is called "Config Point".

Use one of these commands:

Notes:

  • During an upgrade to R82 and during each boot of R82, Gaia OS automatically:

    1. Transfers the configured kernel parameters (that are not commented out) from the legacy configuration files $FWDIR/boot/modules/fwkern.conf and $FWDIR/boot/modules/fwkern.conf to the centralized database.

      Support for more legacy configuration files is planned for later versions.

    2. Comments out the configured kernel parameters in the legacy configuration files (adds the # character in the beginning of the line and adds the corresponding command at the end of the line).

  • If a kernel parameter value is already configured in the centralized database, and you configure a value for the same kernel parameter in the legacy configuration file, then during the next boot, the value from the legacy configuration file overrides the previous value in the centralized database.

Legacy

Configuration Files

This method changes the value of the Check Point global parameter in one of the legacy configuration files as done in R81.20 and lower.

For example, you configure kernel parameters in these files:

  • $FWDIR/boot/modules/fwkern.conf

  • $PPKDIR/conf/simkern.conf

Use these CLI commands (in Gaia Clish or the Expert mode) to configure kernel parameters:

  • fw ctl get int ...

  • fw ctl get str ...

  • fw ctl set [-f] int ...

  • fw ctl set [-f] str ...

For the complete procedure to configure kernel parameters, see the R82 Quantum Security Gateway Guide > Chapter "Working with Kernel Parameters".

Syntax to View Global Parameters in Gaia Clish / Gaia gClish

Notes:

  • On a VSNext Gateway / Legacy VSX Gateway, you must go to the context of the of the applicable Virtual Gateway / Virtual System:

    set virtual-system <ID>

  • The command "show global-param" does not show the kernel parameters configured in the legacy configuration files.

show global-param all

      [filter-by]

            modified [format {json | table}]

            not-default [format {json | table}]

            with-comments [format {json | table}]

      [format {json | table}]

show global-param path {all | <Full Path in DB> | <Path with Wildcards in DB>}

      [filter-by]

            modified [format {json | table}]

            not-default [format {json | table}]

            with-comments [format {json | table}]

      [format {json | table}]

Parameter

Description

show global-param all

Shows all global parameters with values, descriptions, and comments.

filter-by

Specifies a filter for the output:

  • modified

    Shows global parameters, whose values were configured explicitly.

  • not-default

    Shows global parameters, whose values are not default.

  • with-comments

    Shows global parameters with comments.

format {json | table}

Specifies the output format:

  • json - JSON.

  • table - table (this is the default).

show global-param path <Path in DB>

Specifies the path of a global parameter in the database:

  • all

    Shows all global parameters.

  • <Full Path in DB>

    Shows the global parameters based on the specified full path in the database.

  • <Path with Wildcards in DB>

    Shows the global parameters based on the specified path with wildcards "*" in the database:

    1. Enter the relevant path characters (at least 2 characters).

    2. Enter the * character in the relevant place.

    3. If needed, enter the relevant path characters.

    4. Press the Space key.

    5. Enter the sub-command "use-regex true".

    6. Press the Tab key to see the next available sub-command.

Syntax to Configure Global Parameters in Gaia Clish / Gaia gClish

Note - On a VSNext Gateway / Legacy VSX Gateway, you must go to the context of the of the applicable Virtual Gateway / Virtual System:

set virtual-system <ID>

set global-param path <Parameter Path in DB>

      comment "Comment Text"

      param-value <Parameter Value>

            comment "Comment Text"

            use-regex {true | false} dry-run {true | false}

            volatile true use-regex {true | false} dry-run {true | false}

      use-default {true | false}

            comment "Comment Text"

            use-regex {true | false} dry-run {true | false}

            volatile true use-regex {true | false} dry-run {true | false}

      volatile {true | false} use-regex {true | false} dry-run {true | false}

Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently. Scalable Platforms save the changes automatically.

Parameter

Description

set global-param path <Parameter Path in DB>

Configures the global parameter settings in the database.

You must specify one of these paths for the global parameter:

  • The full path in the database.

  • The path with wildcards "*" in the database:

    1. Enter the relevant path characters (at least 2 characters).

    2. Enter the * character in the relevant place.

    3. If needed, enter the relevant path characters.

    4. Press the Space key.

    5. Enter the sub-command "use-regex true".

    6. Press the Tab key to see the next available sub-command.

comment "Comment Text"

Configures the comment text (up to 256 characters) for the specified global parameter(s).

param-value <Parameter Value>

Configures a new value for the specified global parameter(s).

Different global parameters accept different value types:

  • integer.

  • boolean.

  • string.

The required values are provided in Check Point Support Center and by Check Point Support Engineers.

use-default {true | false}

Specifies whether to configure (true) or not (false, this is the default) the default value for the specified global parameter.

volatile {true | false}

Specifies whether to configure the new value only temporarily for the specified global parameter:

Important - By default, the new value is configured permanently.

  • volatile true

    Configures the new value for the specified global parameter only temporary - until the next reboot, or until you run "volatile false".

    During the next boot, the previous value of the specified global parameter is restored.

  • volatile false

    Restores the previous value for the specified global parameter after you ran "volatile true".

use-regex {true | false}

Specifies whether the specified global parameter's path includes wildcards "*" (true) or not (false, this is the default).

dry-run {true | false}

Specifies whether to save the new value for the specified global parameter permanently in the database:

  • dry-run true

    Does not save the new value for the specified global parameter - the change does not survive the reboot.

  • dry-run false

    Saves the new value for the specified global parameter - the change survives the reboot.

Syntax to View and Configure Global Parameters in the Expert mode

Notes:

  • On a VSNext Gateway / Legacy VSX Gateway, you must do one of these:

    • Run the command with the parameter "-vsid <ID>".

    • Go to the context of the of the applicable Virtual Gateway / Virtual System:

      vsenv <ID>

  • The "confp_cli show" command does not show the kernel parameters configured in the legacy configuration files.

confp_cli show

      [-p <Parameter Path in DB>]

      [{-fo | --format} {json | table}]

      [{-fi | --filter} {modified | not-default | with-comments}]

      [-vsid <ID>]

      [--member-id <Member ID>]

      ['<JSON input>']

confp_cli set

      [-p <Parameter Path in DB>]

      [-v <Parameter Value>]

      [-c "<Comment Text>"]

      [-d {true | false}]

      [-vsid {<ID> | all}]

      [{-vo | --volatile} {true | false}]

      [--regex {true | false}]

      [--dry-run {true | false}]

      [--distribute {true | false}]

      ['<JSON input>']

confp_cli fetch

confp_cli get

      [-p <Parameter Path in DB>]

      [-vsid <ID>]

confp_cli get_value

      [-p <Parameter Path in DB>]

      [-vsid <ID>]

      [{-fo | --format} {json | string | fwset}]

Parameter

Description

confp_cli show

Shows all global parameters with values, descriptions, and comments.

  • -p <Parameter Path in DB>

    Specifies the path of a global parameter in the database:

    • all

      Shows all global parameters.

    • <Full Path in DB>

      Shows the global parameters based on the specified full path in the database.

    • <Partial Path in DB>

      Shows the global parameters based on the path that starts with the specified characters in the database.

    • <Path with Wildcards in DB>

      Shows the global parameters based on the specified path with wildcards "*" in the database:

      1. Enter the relevant path characters (at least 2 characters).

      2. Enter the * character in the relevant place.

      3. If needed, enter the relevant path characters.

      You must also enter "--regex true".

  • {-fo | --format} {json | table}

    Specifies the output format:

    • json - JSON.

    • table - table (this is the default).

 
  • {-fi | --filter} {modified | not-default | with-comments}

    Specifies a filter for the output:

    • modified

      Shows global parameters, whose values were configured explicitly.

    • not-default

      Shows global parameters, whose values are not default.

    • with-comments

      Shows global parameters with comments.

  • -vsid <ID>

    On a VSNextGateway, specifies the ID of the Virtual Gateway.

    On a Legacy VSX Gateway, specifies the ID of the Virtual System.

  • --member-id <Member ID>

    On a Scalable PlatformSecurity Group, specifies the ID of the Security Group Member.

  • '<JSON input>'

    Specifies the input in the JSON format. Must be enclosed in single quote characters (' ').

confp_cli set

Configures the parameter value and comment

  • -p <Parameter Path in DB>

    Specifies the path of a global parameter in the database.

    You must specify one of these paths for the global parameter:

    • The full path in the database.

    • The partial path that starts with the specified characters in the database.

    • The path with wildcards "*" in the database:

      1. Enter the relevant path characters (at least 2 characters).

      2. Enter the * character in the relevant place.

      3. If needed, enter the relevant path characters.

      You must also enter "--regex true".

  • -v <Parameter Value>

    Specifies the new value for the global parameter.

    Different global parameters accept different value types:

    • integer.

    • boolean.

    • string.

    The required values are provided in Check Point Support Center and by Check Point Support Engineers.

 

  • -c "<Comment Text>"

    Configures the comment text (up to 256 characters) for the specified global parameter(s).

  • -d {true | false}

    Specifies whether to configure (true) or not (false, this is the default) the default value for the specified global parameter.

  • -vsid {<ID> | all}

    On a VSNext Gateway, specifies the ID of the Virtual Gateway.

    On a Legacy VSX Gateway, specifies the ID of the Virtual System.

    Enter "all" to apply the command to all IDs.

  • {-vo | --volatile} {true | false}

    Specifies whether to configure the new value only temporarily for the specified global parameter:

    Important - By default, the new value is configured permanently.

    • {-vo | --volatile} true

      Configures the new value for the specified global parameter only temporary - until the next reboot, or until you run "{-vo | --volatile} false".

      During the next boot, the previous value of the specified global parameter is restored.

    • {-vo | --volatile} false

      Restores the previous value for the specified global parameter after you ran "{-vo | --volatile} true"

 

  • --regex {true | false}

    Specifies whether the specified global parameter's path includes wildcards "*" (true) or not (false, this is the default).

  • --dry-run {true | false}

    Specifies whether to save the new value for the specified global parameter permanently in the database:

    • --dry-run true

      Does not save the new value for the specified global parameter - the change does not survive the reboot.

    • --dry-run false

      Saves the new value for the specified global parameter - the change survives the reboot.

  • --distribute {true | false}

    On a Scalable Platform Security Group, specifies whether to configure (true, this is the default) or not (false) the specified global parameters on all other Security Group Members.

  • '<JSON input>'

    Specifies the input in the JSON format. Must be enclosed in single quote characters (' ').

confp_cli fetch

Shows the names of all the existing global parameters.

confp_cli get

Shows the parameters, their values, and user tags:

  • -p <Parameter Path in DB>

    You must specify one of these paths for the global parameter:

    • The full path in the database.

    • The partial path that starts with the specified characters in the database.

  • -vsid <ID>

    On a VSNext Gateway, specifies the ID of the Virtual Gateway.

    On a Legacy VSX Gateway, specifies the ID of the Virtual System.

confp_cli get_value

Shows the parameters and their current values only:

  • -p <Parameter Path in DB>

    You must specify one of these paths for the global parameter:

    • The full path in the database.

    • The partial path that starts with the specified characters in the database.

  • -vsid <ID>

    On a VSNext Gateway, specifies the ID of the Virtual Gateway.

    On a Legacy VSX Gateway, specifies the ID of the Virtual System.

  • {-fo | --format} {json | string | fwset}

    Specifies the output format:

    • json - JSON (this is the default).

    • string - String.

    • fwset - Check Point FWSET format.

Syntax to Control the 'Config Point' in the Expert mode

Note - This command is for advanced troubleshooting only.

In the VSNext / VSX mode, this command applies to the entire Security Gateway.

config_point

      confirm_fixed_warnings

      generate_docs [{-s|--schema} <Full Path to Schema File>]

      restart

      start

      stop

      validate_schema [{-s|--schema} <Full Path to Schema File>]

Parameter

Description

confirm_fixed_warnings

Confirms that you resolved warnings / errors that appeared after an upgrade to R82.

For "Config Point" troubleshooting, see sk181917.

generate_docs [{-s | --schema} <Full Path to Schema File>]

Generates documentation for schema files.

If you do not specify a schema file, then this command generates documentation for all schema files in the /config_point/schemas/ directory.

restart

Restarts the 'Config Point' server.

start

Starts the 'Config Point' server after you stopped it.

stop

Stops the 'Config Point' server.

validate_schema [{-s | --schema} <Full Path to Schema File>]

Validates the schema files.

If you do not specify a schema file, then this command validates all schema files in the /config_point/schemas/ directory.