Showing results for 
Search instead for 
Did you mean: 
Create a Post

Locally managed SMBs .def files for VPN fine-tuning

This is a follow-up to SMB units SMS files for VPN fine-tuning after reading Yuri Slobodyanyuk's blog on IT Security and Networking. He speaks of changes to .def files like crypt.def for VPN Fine-Tuning that are usually made on the SMS and installed on a GW by a policy install. SMB units also have these files - crypt.def can be found in /pfrm2.0/config1/fw1/lib/ or /pfrm2.0/config2/fw1/lib/ and in /opt/fw1/lib/crypt.def.

The VPN configuration from sk108600 VPN Site-to-Site with 3rd party and sk86582 Excluding subnets in encryption domain from accessing a specific VPN community can also be found on locally managed SMBs crypt.def and edited there. As locally managed SMB units have no manual policy install command to recompile and apply these changes, Yuri points out that reboot would activate the new settings, but also, a much easier way is available ("not listed in any Checkpoint documentation", but you can find it in sk97949, sk100278 and sk108274), changes can be applied by issuing:
[Expert]# fw_configload

The sk100278 gives two commands to apply changes from an edited $FWDIR/conf/trac_client_1.ttm file:
[Expert]# fw_configload
[Expert]# sfwd_restart

So i have asked R&D for more information and i have received the following as the officially supported procedures: In locally managed SMB appliances it’s possible to edit /opt/fw1/lib/crypt.def, but user.def is not officially supported. Also note that sk30919 does not list SMB as relevant Product. Only crypt.def can be modified, and afterwards ‘vpn_configload’ is good enough for the change to take effect.

Supported for locally managed SMB appliances are changes to crypt.def to enable VPN features not available in WebGUI or CLI. We learn that the files from /pfrm2.0/config1/ or /pfrm2.0/config2/ are linked to /opt/fw1/lib/. And we learn the command vpn_configload !

Tags (2)