Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CP_SA
Participant

Routing Persistence Question - Embedded GAIA

Good Evening - 

I have approx. 25 x 1450 gateways on embedded GAIA_R77.20.70 - configured with an external WAN interface and an internal switch - LAN1_switch. To get the switch to pass packets to the WAN interface routing was enabled in 

# /proc/sys/net/ipv4/ip_forward by setting the value to <1>. Good to go. BUT, i am unable to get it to survive reboots! i also tried enabling it by # sysctl -w net.ipv4.ip_forward=1. Again, reboot killed it.

To make it persistent and survive reboots in full GAIA, or other 'full' distro, I would edit /etc/sysctl.conf , but this file does not seem to exist in the embedded version.  

Anyone else come across this snafu - and found a fix? Or anyone know if an equivalent sysctl.conf file exists in embedded GAIA?

Thanks!

TL

3 Replies
PhoneBoy
Admin
Admin

If everything is working properly, you should not need to manually set this value to 1.

The only reason it would ever be set to zero is if, for some reason, it is unable to load a security policy.

Either that or there is something peculiar about your configuration.

What does “fw stat” show?

Also let’s move this to the https://community.checkpoint.com/community/infinity-general/smb-smp?sr=search&searchId=5a4d44b9-0222...‌ space where it belongs.

0 Kudos
CP_SA
Participant

These guys are all centrally managed and policy is not being pushed until they are deployed. . We thought that this might be the issue as well. And, we actually have not re-loaded one once they are deployed - I simply verify - and they all have been successful so I did not re-visit it. 

It was in my pre-configuring, without policy, that was driving me crazy. I would configure, set the routing, test connectivity from the Lan to the WAN and then power it down - pull them out to verify just prior to deployment and it would not have survived the re-load.

Thank you for confirming the suspicion - I will re-load a deployed one and verify the persistence.

Thanks for moving the thread - i am a Checkmates noob and completely overlooked it! 

0 Kudos
PhoneBoy
Admin
Admin

It has long been behavior on Check Point gateways to disable IP Forwarding until a real security policy is loaded.

SMB devices are a little different in that they have a different set of default policies, including ones that pass traffic, but the same basic principles apply.

As for moving posts when needed, it's part of what I do Smiley Happy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events