topic Re: fwkern.conf modified at boot. in Firewall and Security Management

fwkern.conf modified at boot.

Florian_B — Wed, 07 Apr 2021 14:07:36 GMT

Hi, first time posting here. Apologies in advance for my limited english : )

So, we've been working with Checkpoint for years now, but since the 80.40 Jumbo 100 update applied a few days ago, the strangest bug happens.

At boot, the fwkern.conf file is being backup in a new file, copy_fwkern.conf, and a line added at the end of the custom fwkern.conf. But the addition is messed up, and If I reboot with this fwkern.conf, the gateway is stuck at loading.

So, I believe is was a problem due tu multiples updates on top of another. I re-done a gateway (we are in high availability cluster) from scratch, starting with the r80.40 iso, and then patching up to latest jumbo 100. No restore, no snapshot used. Same behaviour.

This is my fwkern.conf :

cphwd_nat_templates_support=1
cphwd_nat_templates_enabled=1
enhanced_ssl_inspection=0
bypass_on_enhanced_ssl_inspection=1
fwha_resend_arp_unicast=1
fwha_forw_packet_to_not_active=1
fwha_arp_forward_standby=1

after a reboot :

nac_max_enforced_identities=90000

Doesn't matter if I put the file in read only, since it's regenerated at boot... Before opening a ticket, have you some stuff to look at ?

Thx 🙂

Florian -

Re: fwkern.conf modified at boot.

genisis__ — Wed, 07 Apr 2021 20:06:12 GMT

I would open a TAC case regardless

Re: fwkern.conf modified at boot.

Florian_B — Thu, 08 Apr 2021 05:47:55 GMT

Yes, I did too, I'm waiting for the support now. It's really strange. If I delete fwkern.conf, It comes back after a reboot, with the same nac_max_enforced_identities=90000 line only... So something is generating or adding this line to the file, but I really don't know what... Especially since it's doing the same thing on a "brand new" gateway too...

Re: fwkern.conf modified at boot.

genisis__ — Thu, 08 Apr 2021 08:05:07 GMT

I don't have the entry in our systems but we are running JHFA91 at the moment.

Re: fwkern.conf modified at boot.

Florian_B — Thu, 08 Apr 2021 08:08:09 GMT

We didn't have the problem with the Take 93. It's really since the Take 100... I'll let you know what the support says.

Re: fwkern.conf modified at boot.

genisis__ — Thu, 08 Apr 2021 13:18:48 GMT

Great, have you also seen reduced CPU utilisation since applying JHFA100?

Also are you running Identity Awareness blade? Wondering if it has something to do with that parameter.

Re: fwkern.conf modified at boot.

PhoneBoy — Mon, 12 Apr 2021 05:11:56 GMT

The parameter name suggests it's related to Identity Awareness.

Re: fwkern.conf modified at boot.

HeikoAnkenbrand — Mon, 12 Apr 2021 06:23:56 GMT

I would open a TAC case.

As an emergency solution. You can also set the file with an "s" or "t" bit, then it can no longer be overwritten by the system:

chmod u+s fwkern.conf

The chmod command is also capable of changing the additional permissions or special modes of a file or directory. The symbolic modes use 's' to represent the setuid and setgid modes, and 't' to represent the sticky mode. The modes are only applied to the appropriate classes, regardless of whether or not other classes are specified.