This excerpt is from Chapter 6, Common Issues of Essential Check Point FireWall-1 NG written by Dameon D. Welch-Abernathy,...
and published by Addison-Wesley Professional. You can download the entire Chapter 6 here for free.
One of the weaknesses I felt the first edition of this book had was that it did not include enough Frequently Asked Questions (FAQs) of a more general nature, that is, things that might come up in the day-to-day operation of your firewall but didn't neatly fall into other chapters I've written. Since providing answers to FAQs about FireWall-1 is how I got to be well known within the FireWall-1 community in the first place, it seems fitting that I include a chapter in the book that is nothing but FAQs.
The FAQs in this chapter relate to error messages you might see in the operating system logs, on the console, and in SmartView Tracker/Log Viewer. The FAQs also cover other situations that the average firewall administrator needs to resolve that are more general in nature.
By the end of this chapter, you should be able to:
- Configure your firewall to deal with some common situations
- Diagnose common error messages that occur with your firewall
- Recognize common issues that appear to be firewall-related but are not
Common Configuration Questions
In the course of using or configuring FireWall-1, a number of common configuration questions come up from time to time. The following subsections document the most common ones.
6.1: How Do I Modify FireWall-1 Kernel Variables?
Over the years, Check Point has introduced some rather obscure features by exposing "kernel variables" that can be tweaked to change certain behavior. While this is not the most elegant solution, it involves the least amount of work because it requires no GUI changes. Modifying kernel variables is relatively straightforward once you know how. You perform the appropriate commands for your platform and reboot.
Let us assume that the kernel variable we want to modify is fw_allow_udp_ port0. For the record, this particular variable allows packets to be sent from or to UDP port 0, which FireWall-1 normally drops. In order to allow these kinds of packets, we need to change the value of this parameter to 1. The value can be specified in decimal or hexadecimal (precede with an 0x for hexadecimal).
In general, you can substitute fw_allow_udp_port0 and 0x1 for the variable you want to modify and the value you wish to assign it, respectively.
On Solaris machines, add the following line to the bottom of the /etc/system 9 file, and reboot:
On an IPSO system (VPN-1 Appliance or Nokia IPxxx), you need to get the modzap utility from Resolution 1261 in Nokia's Knowledge Base. You can then use the following command line to modify the fw_allow_udp_port0 parameter and reboot the system:
nokia[admin]# modzap _fw_allow_udp_port0
On a Linux platform, you simply add the following line to $FWDIR/boot/modules/fwkern.conf 4and restart FireWall-1 (no reboot required):
For Windows, there is no way to modify kernel variables without getting a special utility called fwpatchfrom Check Point support. In some cases, it is possible to tweak registry settings.