Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
knassif
Participant

is there any way or command on checkpoint firewall gateway to ignore the DF bit flag and assemble traffic as normal.

thanks

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

This SK is mostly relevant for VPN.
In Linux, at least according to here, the way you would do this would be something like:

  • ip route add 192.168.1.0/24 dev eth0 mtu lock 1500

You can try this in expert mode and see if it works.
Replace 192.168.1.0/24 with the subnet that requires DF be cleared.
However, I cannot say if this command will work on Gaia or not.
Even if it does, it probably won't persist across reboots or even certain configuration changes in clish/WebUI.

View solution in original post

9 Replies
knassif
Participant

and this is for regular traffic not for vpn traffic is there a way to ignore that DF bit flag on the firewall with a command ?

0 Kudos
the_rock
Legend
Legend

Not sure about regular traffic, but this is best I can find.

Andy

https://support.checkpoint.com/results/sk/sk39270

0 Kudos
PhoneBoy
Admin
Admin

This SK is mostly relevant for VPN.
In Linux, at least according to here, the way you would do this would be something like:

  • ip route add 192.168.1.0/24 dev eth0 mtu lock 1500

You can try this in expert mode and see if it works.
Replace 192.168.1.0/24 with the subnet that requires DF be cleared.
However, I cannot say if this command will work on Gaia or not.
Even if it does, it probably won't persist across reboots or even certain configuration changes in clish/WebUI.

the_rock
Legend
Legend

You got it, thats it

from my lab:

[Expert@CP-gw:0]# ip route add 192.50.50.0/24 dev eth1 mtu lock 1500
[Expert@CP-gw:0]#

Best,

Andy

0 Kudos
knassif
Participant

is there anything can be done to fix a fragment drop? as you can see in screenshot below/attached

0 Kudos
knassif
Participant

also can you explain to me what that output means and if there is a way to fix it on the firewall

0 Kudos
the_rock
Legend
Legend

To fix a drop? Not sure, maybe worth TAC case.

 

Andy

0 Kudos
knassif
Participant

we use VSX so not sure how we can add the lock for a route, as far as I know we shouldnt add routes from cli for VSX and I dont see that as an option in Smartconsole

0 Kudos
PhoneBoy
Admin
Admin

If it's not an option from SmartConsole (where you have to define routes for a VS with VSX), then it's probably not supported.
A few TAC cases I reviewed suggest this isn't supported as well, but best to check with them to confirm: https://help.checkpoint.com 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events