https://community.checkpoint.com/t5/Firewall-and-Security-Management/Missing-fwkern-conf-What-environment-variables-are-currently/m-p/29430#M2350 <HTML><HEAD></HEAD><BODY><P>Thanks for that Aleksei. Some of their gateways have been up for over <STRONG>900</STRONG> days, where as the rest have an up-time of between 3-350 days.</P><P></P><P>Looking at their As-Builds, it doesn't state any such config, however the As-Builds are incorrect, as I've come to learn myself.</P><P></P><P>Think I'll just bite the bullet then and carry on and list that as a caveat in my documentation.</P></BODY></HTML> Wed, 14 Feb 2018 18:51:13 GMT Ray_Lal 2018-02-14T18:51:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Missing-fwkern-conf-What-environment-variables-are-currently/m-p/29428#M2348 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>I have a customer who's running R77.20 for their G/W's and Logs, and 77.30 for their CMA.</P><P></P><P>I am upgrading their gateways and logs to R77.30, however the one concern I have is that since they dont have any fwkern.conf files, whatever environment variables they have running will not survive a reboot.</P><P></P><P>Is there any magic command I can run to do this?</P><P></P><P>I will be taking a snapshot, but small niggly things could cause alot of headaches weeks down the line.</P><P></P><P>Thanks.</P></BODY></HTML> Wed, 14 Feb 2018 03:22:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Missing-fwkern-conf-What-environment-variables-are-currently/m-p/29428#M2348 Ray_Lal 2018-02-14T03:22:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Missing-fwkern-conf-What-environment-variables-are-currently/m-p/29429#M2349 <HTML><HEAD></HEAD><BODY><P>It is a normal situation - to not have fwkern.conf file. Usually administrators creates this file&nbsp;himself, for these additional kernel settings to survive a reboot, when they are required for sure. If there is no fwkern.conf file and admin doesn't know about any additional parameters, I would assume that they are not needed in this case. Because even in case of power outage they need to somehow restore these parameters.</P><P>And did they never reboot their gateways? It is not a good&nbsp;practice for Check Point gateways.</P><P></P><P>I think this is what you need, but I never used it myself in practice:</P><P><STRONG><A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk33156" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk33156">Creating a file with all the kernel parameters and their values</A>&nbsp;</STRONG></P><P></P><P>If the solution above is not working, or you want to make sure and verify, you can get a parameter value with <SPAN style="font-size: 12px;"><STRONG style="font-family: terminal, monaco, monospace;">fw ctl get int &lt;parameter&gt;</STRONG> </SPAN>command. But for that you need to know the exact name of a parameter. So you can try to find out if some of oftenly used parameters are changed, for example:</P><P><SPAN style="font-size: 12px;"><STRONG style="font-family: terminal, monaco, monospace;">fw ctl get int fwha_mac_magic</STRONG></SPAN><BR /><SPAN style="font-size: 12px;"><STRONG style="font-family: terminal, monaco, monospace;">fw ctl get int&nbsp;fwha_mac_forward_magic</STRONG></SPAN></P><P><SPAN style="font-size: 12px;"><STRONG style="font-family: terminal, monaco, monospace;">fw ctl get int&nbsp;fwha_forw_packet_to_not_active</STRONG></SPAN></P><P style="font-weight: 400;"></P><P style="font-weight: 400;">Here is a list of some other parameters -&nbsp;<A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk33285" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk33285">Kernel Global Parameters</A>&nbsp;</P><P style="font-weight: 400;">And you can try to find some other ones on Support Center in different sk by searching "kernel parameters":</P><P style="font-weight: 400;"><A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk103656" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk103656">Dynamic NAT port allocation feature</A>&nbsp;</P><P style="font-weight: 400;"><A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk43872" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk43872">ClusterXL - CCP packets and fwha_timer_cpha_res kernel parameter</A>&nbsp;</P></BODY></HTML> Wed, 14 Feb 2018 07:31:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Missing-fwkern-conf-What-environment-variables-are-currently/m-p/29429#M2349 AlekseiShelepov 2018-02-14T07:31:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Missing-fwkern-conf-What-environment-variables-are-currently/m-p/29430#M2350 <HTML><HEAD></HEAD><BODY><P>Thanks for that Aleksei. Some of their gateways have been up for over <STRONG>900</STRONG> days, where as the rest have an up-time of between 3-350 days.</P><P></P><P>Looking at their As-Builds, it doesn't state any such config, however the As-Builds are incorrect, as I've come to learn myself.</P><P></P><P>Think I'll just bite the bullet then and carry on and list that as a caveat in my documentation.</P></BODY></HTML> Wed, 14 Feb 2018 18:51:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Missing-fwkern-conf-What-environment-variables-are-currently/m-p/29430#M2350 Ray_Lal 2018-02-14T18:51:13Z