cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Locally managed SMBs .def files for VPN fine-tuning

This is a follow-up to SMB units SMS files for VPN fine-tuning after reading Yuri Slobodyanyuk's blog on IT Security and Networking. He speaks of changes to .def files like crypt.def for VPN Fine-Tuning that are usually made on the SMS and installed on a GW by a policy install. SMB units also have these files - crypt.def can be found in /pfrm2.0/config1/fw1/lib/ or /pfrm2.0/config2/fw1/lib/ and in /opt/fw1/lib/crypt.def.

The VPN configuration from sk108600 VPN Site-to-Site with 3rd party and sk86582 Excluding subnets in encryption domain from accessing a specific VPN community can also be found on locally managed SMBs crypt.def and edited there. As locally managed SMB units have no manual policy install command to recompile and apply these changes, Yuri points out that reboot would activate the new settings, but also, a much easier way is available ("not listed in any Checkpoint documentation", but you can find it in sk97949, sk100278 and sk108274), changes can be applied by issuing:
[Expert]# fw_configload

The sk100278 gives two commands to apply changes from an edited $FWDIR/conf/trac_client_1.ttm file:
[Expert]# fw_configload
[Expert]# sfwd_restart

So i have asked R&D for more information and i have received the following as the officially supported procedures: In locally managed SMB appliances it’s possible to edit /opt/fw1/lib/crypt.def, but user.def is not officially supported. Also note that sk30919 does not list SMB as relevant Product. Only crypt.def can be modified, and afterwards ‘vpn_configload’ is good enough for the change to take effect.

Supported for locally managed SMB appliances are changes to crypt.def to enable VPN features not available in WebGUI or CLI. We learn that the files from /pfrm2.0/config1/ or /pfrm2.0/config2/ are linked to /opt/fw1/lib/. And we learn the command vpn_configload !

Tags (2)
5 Replies
Highlighted

Re: Locally managed SMBs .def files for VPN fine-tuning

Gunther, do you know how to make the procedure from "sk114882 - Remote Access clients configuration based on group membership" work on SMB gateways?

0 Kudos
Highlighted
Platinum

Re: Locally managed SMBs .def files for VPN fine-tuning

Actually there seems to be a shell script on SMB that appears to do the vpn_configload thingy the right way:

/opt/fw1/bin/vpn_configload.sh
0 Kudos

Re: Locally managed SMBs .def files for VPN fine-tuning

That is just the command i have mentioned far above 😎

0 Kudos
Highlighted
Platinum

Re: Locally managed SMBs .def files for VPN fine-tuning

vpn_configload is binary and vpn_configload.sh is shell script.... so actually there are two commands.

0 Kudos
Highlighted

Re: Locally managed SMBs .def files for VPN fine-tuning

You could try with a User group defined in Users & Objects > Users Management > Users 

and

/pfrm2.0/opt/fw1/conf/trac_client_1.ttm

/pfrm2.0/config2/fw1/conf/trac_client_1.ttm

0 Kudos