https://community.checkpoint.com/t5/Firewall-and-Security-Management/nac-max-enforced-identities-parameter-in-fwkern-conf/m-p/133006#M19768 <P>Hi,</P><P>we've been having this parameter occuring for quite some time now, at first for 80.40 machines with Take ~ &gt;100 and now also for 80.30 (atleast on Jumbo 236).</P><P>There is only one community post about it:<BR /><A href="https://community.checkpoint.com/t5/Security-Gateways/fwkern-conf-modified-at-boot/td-p/115506" target="_blank">https://community.checkpoint.com/t5/Security-Gateways/fwkern-conf-modified-at-boot/td-p/115506</A></P><P>and also only one SK where it is mentioned at all (But it's referring to typos and syntax):<BR /><A href="https://supportcenter.checkpoint.com/supportcenter/portal?solutionid=sk173544" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?solutionid=sk173544</A></P><P>The default value seems to be 30k, which it is set to 90k automatically after rebooting the gateway.</P><P>The HCP on Jumbo 236 is not able to handle the parameter properly (ERROR: Parameter not supported or typo issue),<BR />but as it is the only value in our fwkern.conf that shouldn't be too much of an issue:</P><P>#cat $FWDIR/boot/modules/fwkern.conf<BR />nac_max_enforced_identities=90000</P><P>Should be some IA related value, but I don't think that this value will ever be relevant to our relatively small company.</P><P>Has any of you looked further into this and maybe knows what it does and why it is changed?<BR />Maybe anyone did in fact open a TAC case for this and already got an explaining answer <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P><BR />Best Regards,<BR />Jonas</P> Mon, 01 Nov 2021 11:16:08 GMT Jonas_Meineke 2021-11-01T11:16:08Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/nac-max-enforced-identities-parameter-in-fwkern-conf/m-p/133006#M19768 <P>Hi,</P><P>we've been having this parameter occuring for quite some time now, at first for 80.40 machines with Take ~ &gt;100 and now also for 80.30 (atleast on Jumbo 236).</P><P>There is only one community post about it:<BR /><A href="https://community.checkpoint.com/t5/Security-Gateways/fwkern-conf-modified-at-boot/td-p/115506" target="_blank">https://community.checkpoint.com/t5/Security-Gateways/fwkern-conf-modified-at-boot/td-p/115506</A></P><P>and also only one SK where it is mentioned at all (But it's referring to typos and syntax):<BR /><A href="https://supportcenter.checkpoint.com/supportcenter/portal?solutionid=sk173544" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?solutionid=sk173544</A></P><P>The default value seems to be 30k, which it is set to 90k automatically after rebooting the gateway.</P><P>The HCP on Jumbo 236 is not able to handle the parameter properly (ERROR: Parameter not supported or typo issue),<BR />but as it is the only value in our fwkern.conf that shouldn't be too much of an issue:</P><P>#cat $FWDIR/boot/modules/fwkern.conf<BR />nac_max_enforced_identities=90000</P><P>Should be some IA related value, but I don't think that this value will ever be relevant to our relatively small company.</P><P>Has any of you looked further into this and maybe knows what it does and why it is changed?<BR />Maybe anyone did in fact open a TAC case for this and already got an explaining answer <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P><BR />Best Regards,<BR />Jonas</P> Mon, 01 Nov 2021 11:16:08 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/nac-max-enforced-identities-parameter-in-fwkern-conf/m-p/133006#M19768 Jonas_Meineke 2021-11-01T11:16:08Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/nac-max-enforced-identities-parameter-in-fwkern-conf/m-p/133011#M19769 <P>The parameter is related to global kernel tables infrastructure and not Identity Awareness. It is indeed set automatically during boot sequence, and the correct value is 90000. If you have any issue with that, please open a TAC case, otherwise, please live as is.</P> Mon, 01 Nov 2021 12:02:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/nac-max-enforced-identities-parameter-in-fwkern-conf/m-p/133011#M19769 _Val_ 2021-11-01T12:02:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/nac-max-enforced-identities-parameter-in-fwkern-conf/m-p/133014#M19770 <P>Hi Val,</P><P>that's good to know atleast; We didn't plan to remove it (as I think it will be reset again anyway), since we didn't face any issues.</P><P>We just wanted to know where it comes from and what it in fact does, or rather, why it should be relevant to us.<BR />As there is no explanation about this parameter anywhere on the usual Check Point sites.<BR /><BR />Kinda strange to me, that it is written to the fwkern.conf during reboot, instead of changing the default value directly.</P> Mon, 01 Nov 2021 12:39:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/nac-max-enforced-identities-parameter-in-fwkern-conf/m-p/133014#M19770 Jonas_Meineke 2021-11-01T12:39:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/nac-max-enforced-identities-parameter-in-fwkern-conf/m-p/133031#M19773 <P>I just gave you one, didn’t I? It is a parameter related to new global kernel tables architecture. This is all you need to know. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 01 Nov 2021 16:29:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/nac-max-enforced-identities-parameter-in-fwkern-conf/m-p/133031#M19773 _Val_ 2021-11-01T16:29:21Z