This website uses cookies. By browsing this website, you consent to the use of cookies. Learn more.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Highlighted
Brad_Armstrong1
Ivory
‎2017-11-08 07:30 AM

Forbidden IP Option

We are dropping icmp traffic, in tracker says "ip option: 131, message_info: Forbidden IP Option".  How to I allow this traffic.  This is R74.47 GAIA.   Thanks.

0 Kudos
7 Replies
Highlighted
PhoneBoy
Admin
Admin
‎2017-11-08 10:59 AM

I assume you mean R75.47

Solution is described in the following SK: “Forbidden IP option” drop log in SmartView Tracker for ICMP packets with IP Options

0 Kudos
Highlighted
Brad_Armstrong1
Ivory
‎2017-11-08 11:20 AM

Yes, typo, meant R75.47 GAIA.  I saw that SK article but don't quite understand, could you explain?  Thanks.

0 Kudos
Highlighted
PhoneBoy
Admin
Admin
‎2017-11-08 01:19 PM

The TL;DR: We block packets with IP Options by default.

To allow ICMP packets with IP Options to pass, you need to change the kernel variable described in the SK.

This will allow the packets to pass.

0 Kudos
Highlighted
Brad_Armstrong1
Ivory
‎2017-11-08 01:55 PM

Sorry my England is not great.  I follow sk but doesn't seem to be working.  Can you give me the commands you would use to do this? Thanks.

0 Kudos
Highlighted
PhoneBoy
Admin
Admin
‎2017-11-09 02:19 PM

The exact commands are documented in the SK.

If you're having issues, I recommend engaging with our TAC: Contact Support | Check Point Software 

0 Kudos
Highlighted
Hugo_vd_Kooij
Gold
‎2017-11-10 01:29 AM

I am not sure if TAC will take a ticket on R75.47 anymore.

It is unsupported for while now.

0 Kudos
Highlighted
PhoneBoy
Admin
Admin
‎2017-11-10 08:08 AM

"Best effort" support for sure but the process described in the SK is fairly generic.

0 Kudos