Essential Check Point FireWall-1 NG: Chapter 6 -- Common Issues

This excerpt is from Chapter 6, Common Issues from the book Essential Check Point FireWall-1 NG written by Dameon D. Welch-Abernathy, and published by Addison-Wesley Professional. You can download the entire Chapter 6 here for free.

One of the weaknesses I felt the first edition of this book had was that it did not include enough Frequently Asked Questions (FAQs) of a more general nature, that is, things that might come up in the day-to-day operation of your firewall but didn't neatly fall into other chapters I've written. Since providing answers to FAQs about FireWall-1 is how I got to be well known within the FireWall-1 community in the first place, it seems fitting that I include a chapter in the book that is nothing but FAQs.

The FAQs in this chapter relate to error messages you might see in the operating system logs, on the console, and in SmartView Tracker/Log Viewer. The FAQs also cover other situations that the average firewall administrator needs to resolve that are more general in nature.

By the end of this chapter, you should be able to:

• Configure your firewall to deal with some common situations
• Diagnose common error messages that occur with your firewall
• Recognize common issues that appear to be firewall-related but are not

Common Configuration Questions
In the course of using or configuring FireWall-1, a number of common configuration questions come up from time to time. The following subsections document the most common ones.

6.1: How Do I Modify FireWall-1 Kernel Variables?
Over the years, Check Point has introduced some rather obscure features by exposing "kernel variables" that can be tweaked to change certain behavior. While this is not the most elegant solution, it involves the least amount of work because it requires no GUI changes. Modifying kernel variables is relatively straightforward once you know how. You perform the appropriate commands for your platform and reboot.

Let us assume that the kernel variable we want to modify is fw_allow_udp_ port0. For the record, this particular variable allows packets to be sent from or to UDP port 0, which FireWall-1 normally drops. In order to allow these kinds of packets, we need to change the value of this parameter to 1. The value can be specified in decimal or hexadecimal (precede with an 0x for hexadecimal).

In general, you can substitute fw_allow_udp_port0 and 0x1 for the variable you want to modify and the value you wish to assign it, respectively.

On Solaris machines, add the following line to the bottom of the /etc/system 9 file, and reboot:

set fw:fw_allow_udp_port0=0x1

On an IPSO system (VPN-1 Appliance or Nokia IPxxx), you need to get the modzap utility from Resolution 1261 in Nokia's Knowledge Base. You can then use the following command line to modify the fw_allow_udp_port0 parameter and reboot the system:

nokia[admin]# modzap _fw_allow_udp_port0
                      $FWDIR/boot/modules/fwmod.o 0x1

On a Linux platform, you simply add the following line to $FWDIR/boot/modules/fwkern.conf 4and restart FireWall-1 (no reboot required):

fw_allow_udp_port0=1

For Windows, there is no way to modify kernel variables without getting a special utility called fwpatchfrom Check Point support. In some cases, it is possible to tweak registry settings.

Download the entire Chapter 6, Common Issues for free here.
Read other chapter excerpts and book reviews.
Visit Dameon Welch-Abernathy's PhoneBoy Web site here.

BROWSE BY TAG Network Security: Tools, Products, Software,   Network Firewalls, Routers and Switches,   Enterprise Network Security,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Firewalls, Routers and Switches How to prepare for a secure network hardware upgrade Best Network Firewall Products What is the difference between static and dynamic network validation? Screencast: Smoothwall offers firewall defense in lean times New Cisco IOS bugs pose tempting targets, says Black Hat researcher How to implement virtual firewalls in a complex network infrastructure How to manage network bandwidth with distributed ISP bandwidth Firewall rule management best practices Should enterprises be running multiple firewalls? What are the disadvantages of proxy-based firewalls?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bastion host  (SearchSecurity.com) firewall  (SearchSecurity.com) Firewall Builder  (SearchSecurity.com) screened subnet  (SearchSecurity.com) virus  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary