topic Re: Kernel global parameters - the most useful settings in General Topics

Kernel global parameters - the most useful settings

Benoit_Verove — Fri, 16 Nov 2018 08:29:43 GMT

Hi Checkmates,

One of the greatest thing with Check Point products is that you can deeply adapt and customize configuration to fit your needs.

Once, someone from Check Point told me "Check Point, it is a car with manual gear, you really decide how the gateway behaves". Ok why not, but let's stop here this automotive metaphore.

One thing to adapt is kernel global parameters. Every Check Point engineer reguarly have to set specific value for specific architectures, specific constraints, ...

See SK26202 to know how to set kernel global parameters.

I would like to start a discussion to gather recommandations about kernel parameters

The purpose is not to document here all possible parameters and values, but the most useful, based on your experience.

So, I start with 2 useful settings that I often configure in my cluster deployments :

fwha_forw_packet_to_not_active
- Default value : 0. The active member doesn't route packets to the standby member.Set it to "1" if you need to join standby's interfaces throught the active member
fw_allow_simultaneous_ping
- Default value : 0. You can only ping the virtual IP of the cluster, not the real IP of the active memberSet it to "1" and you'll ping both.

Based on your inputs, maybe we might then create a configuration script to automate some kernel settings. Open discussion.

Regards,

Benoit

Re: Kernel global parameters - the most useful settings

Kaspars_Zibarts — Fri, 16 Nov 2018 09:53:01 GMT

It's very hard to give "general" recommendations. We have 30+ firewalls in the network and we treat fwkern tweaking carefully as you may create problems if you set wrong parameter on wrong firewall - i.e. whether it's normal or VSX gateway, or chassis or management, what release it is running etc. You would need to keep separate tables depending on those inputs to start with and that might get messy.

But I would certainly recommend to keep your "own set" for your network.

One that could be fairly generic and we prefer it, is to monitor all VLANs in ClusterXL

fwha_monitor_all_vlan=1

Monitors all VLANs in ClusterXL - both in VSX mode and in Gateway mode. Used to discover issues with VLAN configurations or to make sure all VLANs are working properly

Re: Kernel global parameters - the most useful settings

Benoit_Verove — Fri, 16 Nov 2018 10:22:44 GMT

Hi Kaspars,

Thank you for your input.

I completly agree : there isn't a single set of settings that could fit for all and such tweaking must be handle with care.

Regards,

Benoit

Re: Kernel global parameters - the most useful settings

Timothy_Hall — Fri, 16 Nov 2018 14:19:49 GMT

There are a couple of useful kernel variables mentioned here:

Best of CheckMates CLI

Note that you can also dump every possible kernel variable (both for INSPECT and SecureXL/sim) as described here:

sk33156: Creating a file with all the kernel parameters and their values

Did this while performing research for my book and found all kinds of interesting undocumented variables...tweak them at your own risk though...

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Re: Kernel global parameters - the most useful settings

JozkoMrkvicka — Fri, 16 Nov 2018 21:07:17 GMT

prior to R77.30, the most important parameter in fwkern.conf was "MAC magic" and "forward MAC magic".

Some additional parameters related to CUL mechanism and policy installation timeouts.

Re: Kernel global parameters - the most useful settings

AlekseiShelepov — Mon, 19 Nov 2018 09:20:20 GMT

I would like to add that fwha_forw_packet_to_not_active parameter is also connected with solution for many possible issues:

Connection from one side of the ClusterXL destined to the physical IP address of a non-Active cluster member…

Simultaneously pinging the cluster members and the VIP address...

"Contract entitlement check failed" error on policy installation failure

Cluster debug shows "FW-1: fwha_forw_ssl_handler: Rejecting ssl packets to a non-active member"

"ERR_CONNECTION_REFUSED" error is displayed in web browser when connecting to Gaia Portal

Updates For Anti-Virus/Anti-Bot/Application Control/URLF blades are not working on standby ClusterXL member

Cluster debug shows "FW-1: fwha_forw_ssl_handler: Rejecting ssl packets to a non-active member"

So, in my opinion, enabling this could be considered a "best practice" even.

Re: Kernel global parameters - the most useful settings

Maarten_Sjouw — Tue, 20 Nov 2018 19:29:17 GMT

Don't forget the MSS clamping parameters, specially when a VPN is in the picture you can solve a lot of problems, including performance, by adding MSS Clamping.

New VPN features in VPN in R77.20 and later

This also requires some changes to another file simkern.conf. when applied to a VPN