This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jonas_Meineke
Explorer
‎2021-11-01 04:16 AM

nac_max_enforced_identities parameter in fwkern.conf

Hi,

we've been having this parameter occuring for quite some time now, at first for 80.40 machines with Take ~ >100 and now also for 80.30 (atleast on Jumbo 236).

There is only one community post about it:
https://community.checkpoint.com/t5/Security-Gateways/fwkern-conf-modified-at-boot/td-p/115506

and also only one SK where it is mentioned at all (But it's referring to typos and syntax):
https://supportcenter.checkpoint.com/supportcenter/portal?solutionid=sk173544

The default value seems to be 30k, which it is set to 90k automatically after rebooting the gateway.

The HCP on Jumbo 236 is not able to handle the parameter properly (ERROR: Parameter not supported or typo issue),
but as it is the only value in our fwkern.conf that shouldn't be too much of an issue:

#cat $FWDIR/boot/modules/fwkern.conf
nac_max_enforced_identities=90000

Should be some IA related value, but I don't think that this value will ever be relevant to our relatively small company.

Has any of you looked further into this and maybe knows what it does and why it is changed?
Maybe anyone did in fact open a TAC case for this and already got an explaining answer 😉


Best Regards,
Jonas

0 Kudos
3 Replies
_Val_
Admin
Admin
‎2021-11-01 05:02 AM

The parameter is related to global kernel tables infrastructure and not Identity Awareness. It is indeed set automatically during boot sequence, and the correct value is 90000. If you have any issue with that, please open a TAC case, otherwise, please live as is.

0 Kudos
Jonas_Meineke
Explorer
‎2021-11-01 05:39 AM
In response to _Val_

Hi Val,

that's good to know atleast; We didn't plan to remove it (as I think it will be reset again anyway), since we didn't face any issues.

We just wanted to know where it comes from and what it in fact does, or rather, why it should be relevant to us.
As there is no explanation about this parameter anywhere on the usual Check Point sites.

Kinda strange to me, that it is written to the fwkern.conf during reboot, instead of changing the default value directly.

0 Kudos
_Val_
Admin
Admin
‎2021-11-01 09:29 AM
In response to Jonas_Meineke

I just gave you one, didn’t I? It is a parameter related to new global kernel tables architecture. This is all you need to know. 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events