cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Forbidden IP Option

We are dropping icmp traffic, in tracker says "ip option: 131, message_info: Forbidden IP Option".  How to I allow this traffic.  This is R74.47 GAIA.   Thanks.

0 Kudos
7 Replies
Admin
Admin

Re: Forbidden IP Option

I assume you mean R75.47

Solution is described in the following SK: “Forbidden IP option” drop log in SmartView Tracker for ICMP packets with IP Options

0 Kudos

Re: Forbidden IP Option

Yes, typo, meant R75.47 GAIA.  I saw that SK article but don't quite understand, could you explain?  Thanks.

0 Kudos
Admin
Admin

Re: Forbidden IP Option

The TL;DR: We block packets with IP Options by default.

To allow ICMP packets with IP Options to pass, you need to change the kernel variable described in the SK.

This will allow the packets to pass.

0 Kudos

Re: Forbidden IP Option

Sorry my England is not great.  I follow sk but doesn't seem to be working.  Can you give me the commands you would use to do this? Thanks.

0 Kudos
Admin
Admin

Re: Forbidden IP Option

The exact commands are documented in the SK.

If you're having issues, I recommend engaging with our TAC: Contact Support | Check Point Software 

0 Kudos

Re: Forbidden IP Option

I am not sure if TAC will take a ticket on R75.47 anymore.

It is unsupported for while now.

0 Kudos
Admin
Admin

Re: Forbidden IP Option

"Best effort" support for sure but the process described in the SK is fairly generic.

0 Kudos