https://community.checkpoint.com/t5/Firewall-and-Security-Management/Asymmetric-structure-network-test/m-p/134469#M20152 <P>It should apply fwkern.conf on reboot.<BR />If not, I recommend a TAC case.<BR /><BR /></P> Fri, 19 Nov 2021 07:30:41 GMT PhoneBoy 2021-11-19T07:30:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Asymmetric-structure-network-test/m-p/134207#M20083 <P>Hello,</P><P><SPAN>I conducted a network test of asymmetric structure.</SPAN></P><P>&nbsp;</P><P><SPAN>1. Check packet drop&nbsp; icmp&nbsp; in asymmetric structure network test.</SPAN></P><P>----------------------------------------------------------------</P><P>[Expert@test2:0]# fw ctl zdebug + drop</P><P>@;103266;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=1 200.0.0.100:0 -&gt; 100.0.0.100:17460 dropped by fw_first_packet_state_checks Reason: ICMP reply does not match a previous request;<BR />@;103467;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=1 200.0.0.100:0 -&gt; 100.0.0.100:17459 dropped by fw_first_packet_state_checks Reason: ICMP reply does not match a previous request;<BR />@;103601;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=1 200.0.0.100:0 -&gt; 100.0.0.100:17458 dropped by fw_first_packet_state_checks Reason: ICMP reply does not match a previous request;</P><P>----------------------------------------------------------------</P><P><SPAN>2. fw ctl get int fw_allow_out_of_state_icmp is checked, value 0</SPAN></P><P>[Expert@test2:0]# fw ctl get int fw_allow_out_of_state_icmp<BR />fw_allow_out_of_state_icmp = 0<BR />[Expert@test2:0]# fw ctl get int fw_allow_out_of_state_tcp<BR />fw_allow_out_of_state_tcp = 0</P><P>----------------------------------------------------------------</P><P>3. fw ctl set -f int fw_allow_out_of_state_icmp 1 / cat&nbsp;$FWDIR/boot/modules/fwkern.conf file</P><P>[Expert@test2:0]# cat $FWDIR/boot/modules/fwkern.conf</P><P>fw_allow_out_of_state_icmp=1</P><P>----------------------------------------------------------------</P><P><SPAN>After setting it up, the ping test was successful.</SPAN></P><P><SPAN>when rebooting, the value of the fwkern.conf file remains the same.</SPAN></P><P><SPAN>but when fw ctl get int fw_allow_out_state_icmp is entered, fw_allow_out_of_state_icmp = 0.</SPAN></P><P><SPAN>Ping test failed when rebooting.</SPAN></P><P>&nbsp;</P><P>Gateway OS version R81..</P><P>I know the setting value of $FWDIR/boot/modules/fwkern.conf should be applied first booted when booting the equipment.</P><P><SPAN>But wouldn't it be applied if I reboot it?</SPAN></P><P><SPAN>Please help me..</SPAN></P> Wed, 17 Nov 2021 05:16:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Asymmetric-structure-network-test/m-p/134207#M20083 csh 2021-11-17T05:16:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Asymmetric-structure-network-test/m-p/134469#M20152 <P>It should apply fwkern.conf on reboot.<BR />If not, I recommend a TAC case.<BR /><BR /></P> Fri, 19 Nov 2021 07:30:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Asymmetric-structure-network-test/m-p/134469#M20152 PhoneBoy 2021-11-19T07:30:41Z