Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jonas_Meineke
Explorer

nac_max_enforced_identities parameter in fwkern.conf

Hi,

we've been having this parameter occuring for quite some time now, at first for 80.40 machines with Take ~ >100 and now also for 80.30 (atleast on Jumbo 236).

There is only one community post about it:
https://community.checkpoint.com/t5/Security-Gateways/fwkern-conf-modified-at-boot/td-p/115506

and also only one SK where it is mentioned at all (But it's referring to typos and syntax):
https://supportcenter.checkpoint.com/supportcenter/portal?solutionid=sk173544

The default value seems to be 30k, which it is set to 90k automatically after rebooting the gateway.

The HCP on Jumbo 236 is not able to handle the parameter properly (ERROR: Parameter not supported or typo issue),
but as it is the only value in our fwkern.conf that shouldn't be too much of an issue:

#cat $FWDIR/boot/modules/fwkern.conf
nac_max_enforced_identities=90000

Should be some IA related value, but I don't think that this value will ever be relevant to our relatively small company.

Has any of you looked further into this and maybe knows what it does and why it is changed?
Maybe anyone did in fact open a TAC case for this and already got an explaining answer 😉


Best Regards,
Jonas

0 Kudos
3 Replies
_Val_
Admin
Admin

The parameter is related to global kernel tables infrastructure and not Identity Awareness. It is indeed set automatically during boot sequence, and the correct value is 90000. If you have any issue with that, please open a TAC case, otherwise, please live as is.

0 Kudos
Jonas_Meineke
Explorer

Hi Val,

that's good to know atleast; We didn't plan to remove it (as I think it will be reset again anyway), since we didn't face any issues.

We just wanted to know where it comes from and what it in fact does, or rather, why it should be relevant to us.
As there is no explanation about this parameter anywhere on the usual Check Point sites.

Kinda strange to me, that it is written to the fwkern.conf during reboot, instead of changing the default value directly.

0 Kudos
_Val_
Admin
Admin

I just gave you one, didn’t I? It is a parameter related to new global kernel tables architecture. This is all you need to know. 🙂

0 Kudos