Friday, May 29, 2015

Checkpoint firewall - How to list all kernel parameters

Kernel parameters in Checkpoint firewall can be queried with the command
fw ctl get <kernel_param>
Most of the time you find the kernel parameter you need by reading some Checkpoint SK or any article on the Internet

I found an interesting article provided by Checkpoint to dump all kernel parameters on a firewall by probing the fwmod kernel module.

By logging to a Checkpoint firewall in Expert mode it is possible to use the standard Linux command modinfo to get the information from the Checkpoint Kernel module



Here is a brief example:

 [Expert@cpfw:0]# modinfo /opt/CPsuite-R77/fw1/boot/modules/fwmod.2.6.18.cp.x86_64.o


filename:       /opt/CPsuite-R77/fw1/boot/modules/fwmod.2.6.18.cp.x86_64.o
depends:       
vermagic:       2.6.18-92cpx86_64 SMP mod_unload gcc-4.1
description:    Check Point FW-1 drv NG module
author:         Check Point Software Technologies Ltd.
parm:           kiss_pm_stats_pattern:string param (string)
parm:           pm_callback_test_compile_lss:string param (string)
parm:           pm_callback_test_compile_re:string param (string)
parm:           pm_callback_test_compile:_type (int)
parm:           pm_callback_test_buffer:string param (string)
parm:           pm_callback_test_reset_test:_type (int)
parm:           kshmem_debug:_type (int)


With the following concatenated commands it is possible to obtain the list of parameters and theirs values in a running firewall:


[Expert@FW]# modinfo -p $FWDIR/boot/modules/fwmod.2.6.*.o | sort -u | grep _type | awk 'BEGIN {FS=":"} ; {print $1}' | xargs -n 1 fw ctl get int 1>> /var/log/fw_kernel_parameters.txt 2>> /var/log/fw_kernel_parameters.txt


 Let's see  some parameters and values now:
accept_conn_on_cifs_out_of_state = 0
accept_stateful_udp_replies_for_unknown_services = -1
activate_optimize_drops_support_now = 0
allow_ad_bit_in_query = 1
allow_dnssec_bit = 1
allow_dynamic_objects_remove_templates = 0
allow_dynamic_objects_without_ip = 0
allow_network_bcast = 1
allow_override_links = 1
allow_unencrypted_portals = 2
anti_malware_random_memory_failure = 0
appi_data_conn_fw_detection_enabled = 1
appi_data_conn_inspection_enabled = 1
appi_db_shmem_enabled = 1


Now what is the meaning and usage of all these parameters? Who knows. Maybe we should ask Checkpoint directly or change them and see what happens.....
Posted by at

1 comment:

Subscribe to: Post Comments (Atom)