This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Florian_B
Participant
‎2021-04-07 07:07 AM

fwkern.conf modified at boot.

Hi, first time posting here. Apologies in advance for my limited english : )

 

So, we've been working with Checkpoint for years now, but since the 80.40 Jumbo 100 update applied a few days ago, the strangest bug happens.

 

At boot, the fwkern.conf file is being backup in a new file, copy_fwkern.conf, and a line added at the end of the custom fwkern.conf. But the addition is messed up, and If I reboot with this fwkern.conf, the gateway is stuck at loading.

So, I believe is was a problem due tu multiples updates on top of another. I re-done a gateway (we are in high availability cluster) from scratch, starting with the r80.40 iso, and then patching up to latest jumbo 100. No restore, no snapshot used. Same behaviour.

This is my fwkern.conf :

cphwd_nat_templates_support=1
cphwd_nat_templates_enabled=1
enhanced_ssl_inspection=0
bypass_on_enhanced_ssl_inspection=1
fwha_resend_arp_unicast=1
fwha_forw_packet_to_not_active=1
fwha_arp_forward_standby=1

 

after a reboot :

cphwd_nat_templates_support=1
cphwd_nat_templates_enabled=1
enhanced_ssl_inspection=0
bypass_on_enhanced_ssl_inspection=1
fwha_resend_arp_unicast=1
fwha_forw_packet_to_not_active=1
fwha_arp_forward_standby=1


nac_max_enforced_identities=90000

 

Doesn't matter if I put the file in read only, since it's regenerated at boot... Before opening a ticket, have you some stuff to look at ?

 

Thx 🙂

Florian -

 

 

 

 

 

0 Kudos
7 Replies
genisis__
Leader Leader
Leader
‎2021-04-07 01:06 PM

I would open a TAC case regardless

0 Kudos
Florian_B
Participant
‎2021-04-07 10:47 PM
In response to genisis__

Yes, I did too, I'm waiting for the support now. It's really strange. If I delete fwkern.conf, It comes back after a reboot, with the same nac_max_enforced_identities=90000 line only... So something is generating or adding this line to the file, but I really don't know what... Especially since it's doing the same thing on a "brand new" gateway too...

0 Kudos
genisis__
Leader Leader
Leader
‎2021-04-08 01:05 AM
In response to Florian_B

I don't have the entry in our systems but we are running JHFA91 at the moment.

0 Kudos
Florian_B
Participant
‎2021-04-08 01:08 AM
In response to genisis__

We didn't have the problem with the Take 93. It's really since the Take 100... I'll let you know what the support says.

0 Kudos
genisis__
Leader Leader
Leader
‎2021-04-08 01:09 AM
In response to Florian_B

Great,  have you also seen reduced CPU utilisation since applying JHFA100?  

Also are you running Identity Awareness blade?  Wondering if it has something to do with that parameter.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-04-11 10:11 PM
In response to genisis__

The parameter name suggests it's related to Identity Awareness.

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2021-04-11 11:23 PM

I would open a TAC case.

As an emergency solution. You can also set the file with an "s" or "t" bit, then it can no longer be overwritten by the system:

chmod u+s fwkern.conf

The chmod command is also capable of changing the additional permissions or special modes of a file or directory. The symbolic modes use 's' to represent the setuid and setgid modes, and 't' to represent the sticky mode. The modes are only applied to the appropriate classes, regardless of whether or not other classes are specified.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events