This is a follow-up after reading Yuri Slobodyanyuk's blog on IT Security and Networking. He speaks of changes to .def files like crypt.def (e.g. for VPN Fine-Tuning) that are made on the SMS and installed on GW by policy install. Now, SMB units also have that files - crypt.def can be found there in /pfrm2.0/config2/fw1/lib/ and in /pfrm2.0/opt/fw1/lib/crypt.def.
As locally managed SMB units have no policy install, he speaks about reboot that would activate the new settings, but also, a much easier way is available (he says "not listed in any Checkpoint documentation", but you can find it in sk97949, sk100278 and sk108274) by issuing:
Now i just ask myself if this has been tested not only with crypt.def, but also with the further config files (see my comment here). I assume that /pfrm2.0/config2/fw1/lib/crypt.def has to be changed, but is that true ?
And the sk100278 gives two commands:
The second one should be different to a reboot, but what does happen here? Following sk97638, sfwd is not only the "small" FWD, but the SMB Main GW process:
- Policy installation
- VPN negotiation
- Identity Awareness enforcement
- UserCheck enforcement
Start and stop are documented as:
[Expert]# $FWDIR/bin/cpwd_admin stop -name SFWD
[Expert]# $FWDIR/bin/cpwd_admin start -name SFWD -path $FWDIR/bin/fw -command "fw sfwd"
Following sk113090, we can also use:
So the restart command will use the two commands above as we know from other parts of the CP CLI 😉
CCSE CCTE CCSM SMB Specialist