This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
csh
Explorer
‎2021-11-16 09:16 PM

Asymmetric structure network test

Hello,

I conducted a network test of asymmetric structure.

 

1. Check packet drop  icmp  in asymmetric structure network test.

----------------------------------------------------------------

[Expert@test2:0]# fw ctl zdebug + drop

@;103266;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=1 200.0.0.100:0 -> 100.0.0.100:17460 dropped by fw_first_packet_state_checks Reason: ICMP reply does not match a previous request;
@;103467;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=1 200.0.0.100:0 -> 100.0.0.100:17459 dropped by fw_first_packet_state_checks Reason: ICMP reply does not match a previous request;
@;103601;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=1 200.0.0.100:0 -> 100.0.0.100:17458 dropped by fw_first_packet_state_checks Reason: ICMP reply does not match a previous request;

----------------------------------------------------------------

2. fw ctl get int fw_allow_out_of_state_icmp is checked, value 0

[Expert@test2:0]# fw ctl get int fw_allow_out_of_state_icmp
fw_allow_out_of_state_icmp = 0
[Expert@test2:0]# fw ctl get int fw_allow_out_of_state_tcp
fw_allow_out_of_state_tcp = 0

----------------------------------------------------------------

3. fw ctl set -f int fw_allow_out_of_state_icmp 1 / cat $FWDIR/boot/modules/fwkern.conf file

[Expert@test2:0]# cat $FWDIR/boot/modules/fwkern.conf

fw_allow_out_of_state_icmp=1

----------------------------------------------------------------

After setting it up, the ping test was successful.

when rebooting, the value of the fwkern.conf file remains the same.

but when fw ctl get int fw_allow_out_state_icmp is entered, fw_allow_out_of_state_icmp = 0.

Ping test failed when rebooting.

 

Gateway OS version R81..

I know the setting value of $FWDIR/boot/modules/fwkern.conf should be applied first booted when booting the equipment.

But wouldn't it be applied if I reboot it?

Please help me..

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2021-11-18 11:30 PM

It should apply fwkern.conf on reboot.
If not, I recommend a TAC case.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events