Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CyberBreaker
Contributor

IP Forwarding R80.10

Hi Guys,

I just have my vulnerability report for my firewall and it turns out that I need to disable the IP forwarding mechanism in my CP.

Based on my understanding in general computer networks, IP forwarding is the process handling the packet transfers. If we disable it in the Check Point, how will the firewall transfer packets now? Is my understanding correct or is there something more deeper than that as far as Check Point firewall is concerned?

I was told to disable using this command,

# echo 0 > /proc/sys/net/ipv4/ip_forward

Thanks for your replies in advance.

0 Kudos
4 Replies
Timothy_Hall
Legend Legend
Legend

Don't do that, unless you want to cause an outage.

On a regular Linux server, turning off IP Forwarding in the IP driver is a perfectly valid recommendation in most cases.  It is not appropriate to manually manipulate this value on a Check Point firewall.  The Check Point code controls the state of IP forwarding, switching it from the default of 0 to 1 when Check Point services have started, and changing it from 1 to 0 when Check Point services are stopped or policy is unloaded. 

If you manually set it to zero, all traffic attempting to transit the firewall will stop working and be dropped by the IP driver just after inspection point I and just before inspection point o.  Traffic to and from the firewall itself (i.e. SSH connections to clish/expert mode), HTTPS connections to the Gaia web interface, and firewall management operations will still work, but little else will.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Giga_Yang
Participant

Hi All,

If this vulnerability was on SmartCenter. Should we config /proc/sys/net/ipv4/ip_forward value to 0?

Tkanks for a lot.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Which version of management hopefully not R80.10 still as is no longer supported?

In theory it can be disabled for Management machines (SMS), please consult with TAC for the procedure.

CCSM R77/R80/ELITE
0 Kudos
Giga_Yang
Participant

Hi Chris,

R81 with JFH Take44

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events