Following sk97638, sfwd is not only the "small" FWD, but the SMB Main GW process - i have moved this information to the main article!

I have added this question as a feedback in sk108600 and will update with the reply...

SecureKnowledge solution sk108600 was updated. R&D responded: "The customer/partner is correct, crypt.def can be modified, and afterwards ‘vpn_configload’ is good enough for the change to take effect." sk was modified accordingly.

So the next steps are clear - verify the changes made by SMS policy install and ask the identical question for user.def, vpn_route.conf, vpn_table.def, implied_rules.def a.o. Then i can write a new SMB document about this procedure .

After looking thru the document SMB units SMS files for VPN fine-tuning i have found only a few of these files are important for locally managed SMBs, e.g. vpn_table.def or vpn_route.conf make not much sense.

In sk108600, i have extended my question to user.def and also gave it as feedback to sk30919. Another file also usable on a locally managed SMB unit is table.def, so i asked my question in feedback to sk98339, sk62082 and sk31832.

I have a reply for sk31832: How to prevent ClusterXL / VRRP / IPSO IP Clustering from hiding its own traffic behind Vir....  My feedback was:

------------------

table.def can be found on locally managed SMBs in /pfrm2.0/config2/fw1/lib/table.def and in /pfrm2.0/opt/fw1/lib/table.def. Is it possible to make changes to the table.def and activate them using reboot or fw_configload ?

------------------

The table.def file which should be changed is:

/opt/fw1/lib/table.def

(below are in directories which are softlinks - the only relevant file is /opt/fw1/lib/table.def)

You can make changes to it, which will not survive firmware upgrade (but will survive reboot), and then run:

fw_configload

fw reconf_sfwd

-----------------

So we have learned that changes must be made to /opt/fw1/lib/table.def as this is the same file as /pfrm2.0/config1/fw1/lib/table.def or /pfrm2.0/config2/fw1/lib/table.def (this is easily tested), and that these changes will not survive firmware upgrade (but will survive reboot). Further we get a new command similar to the one from sk100278: fw reconf_sfwd - this has not been documented in any public sk or guide yet.

Concerning feedback to sk30919:

R&D responded: "In locally-managed appliances it’s possible to edit /opt/fw1/lib/crypt.def, but user.def is not officially supported."

Also note that sk30919 does not list SMB as relevant Product.

That is very interesting - would be nice to know if it is not supported, but does work .

Feedback to SecureKnowledge sk98339, titled "Location of 'table.def' files on Security Management Server" and  sk62082 "How to allow TCP/UDP packets with IP options through Check Point Security Gateway".

Your feedback was:

------------------

A table.def can be found on locally managed SMBs in /pfrm2.0/config2/fw1/lib/table.def and in /pfrm2.0/opt/fw1/lib/table.def. Is it possible to make changes to the table.def and activate them using reboot or fw_configload ?

------------------

We understand that this SecureKnowledge solution did not help you to resolve your issue. For further assistance, you can open a service request by logging into Check Point User Center

Yes, i know .

user.def might not be compiled by the local policy compilation process.

I'm sure you're going to test it and confirm one way or the other that it "works but isn't supported."  

Yes, that was my idea, too ! I bet that the SMBs local policy compilation process is much less complicated, compared to CP SW on GAiA - so, when changing a .def file on SMS we will use the "big" policy install process of the SMS for compilation. Also, some .defs like vpn_table.def or vpn_route.conf will not make much sense for StandAlone SMB GWs.

Testing that changing user.def does work - maybe i try Configuring Office Mode IP Assignment Based on Source IP Address from sk30919. But i do not see interesting uses for user.def on SMB - as sk108600 VPN Site-to-Site with 3rd party works with crypt.def.

I did not find the time and target for such tests up to now...

It will load the current policy with all changes - see sk164793: How to disable SecureXL for specific ports on SMB appliances and sk108600: VPN Site-to-Site with 3rd party for example. It is also called during boot process, see sk159772: Check Point R80.20.X for 1500, 1600, and 1800 Appliances Known Limitations and Resolved Is... !

There are certain changes to the access policy or configuration that can only be made by editing .def files on the management.
For these changes to take effect, the access policy must be recompiled and installed.
Centrally managed SMB gateways, the .def files are edited on the management and these changes are pushed as part of an Access Policy installation. 

For locally managed SMB gateways, you make the relevant changes on the appliance itself.
As there is no explicit "install policy" action on locally managed SMB appliances, you have to trigger the policy recompilation with fw_configload or a reboot.