This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
knassif
Participant
‎2024-06-03 11:42 AM
Jump to solution

DF bit

is there any way or command on checkpoint firewall gateway to ignore the DF bit flag and assemble traffic as normal.

thanks

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2024-06-03 01:07 PM
In response to the_rock
Jump to solution

This SK is mostly relevant for VPN.
In Linux, at least according to here, the way you would do this would be something like:

  • ip route add 192.168.1.0/24 dev eth0 mtu lock 1500

You can try this in expert mode and see if it works.
Replace 192.168.1.0/24 with the subnet that requires DF be cleared.
However, I cannot say if this command will work on Gaia or not.
Even if it does, it probably won't persist across reboots or even certain configuration changes in clish/WebUI.

View solution in original post

9 Replies
knassif
Participant
‎2024-06-03 11:57 AM
Jump to solution

and this is for regular traffic not for vpn traffic is there a way to ignore that DF bit flag on the firewall with a command ?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-06-03 12:26 PM
Jump to solution

Not sure about regular traffic, but this is best I can find.

Andy

https://support.checkpoint.com/results/sk/sk39270

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2024-06-03 01:07 PM
In response to the_rock
Jump to solution

This SK is mostly relevant for VPN.
In Linux, at least according to here, the way you would do this would be something like:

  • ip route add 192.168.1.0/24 dev eth0 mtu lock 1500

You can try this in expert mode and see if it works.
Replace 192.168.1.0/24 with the subnet that requires DF be cleared.
However, I cannot say if this command will work on Gaia or not.
Even if it does, it probably won't persist across reboots or even certain configuration changes in clish/WebUI.

the_rock
MVP Platinum
MVP Platinum
‎2024-06-03 05:27 PM
In response to PhoneBoy
Jump to solution

You got it, thats it

from my lab:

[Expert@CP-gw:0]# ip route add 192.50.50.0/24 dev eth1 mtu lock 1500
[Expert@CP-gw:0]#

Best,

Andy

Best,
Andy
0 Kudos
knassif
Participant
‎2024-06-04 08:37 AM
In response to the_rock
Jump to solution

is there anything can be done to fix a fragment drop? as you can see in screenshot below/attached

Preview file
409 KB
0 Kudos
knassif
Participant
‎2024-06-04 08:55 AM
In response to knassif
Jump to solution

also can you explain to me what that output means and if there is a way to fix it on the firewall

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-06-04 10:25 AM
In response to knassif
Jump to solution

To fix a drop? Not sure, maybe worth TAC case.

 

Andy

Best,
Andy
0 Kudos
knassif
Participant
‎2024-06-04 09:06 AM
In response to PhoneBoy
Jump to solution

we use VSX so not sure how we can add the lock for a route, as far as I know we shouldnt add routes from cli for VSX and I dont see that as an option in Smartconsole

0 Kudos
PhoneBoy
Admin
Admin
‎2024-06-05 04:02 PM
In response to knassif
Jump to solution

If it's not an option from SmartConsole (where you have to define routes for a VS with VSX), then it's probably not supported.
A few TAC cases I reviewed suggest this isn't supported as well, but best to check with them to confirm: https://help.checkpoint.com 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events