Benoit Verove

Kernel global parameters - the most useful settings

Discussion created by Benoit Verove on Nov 16, 2018
Latest reply on Nov 20, 2018 by Maarten Sjouw

Hi Checkmates,

 

One of the greatest thing with Check Point products is that you can deeply adapt and customize configuration to fit your needs.

Once, someone from Check Point told me "Check Point, it is a car with manual gear, you really decide how the gateway behaves". Ok why not, but let's stop here this automotive metaphore.

 

One thing to adapt is kernel global parameters. Every Check Point engineer reguarly have to set specific value for specific architectures, specific constraints, ...

 

See SK26202 to know how to set kernel global parameters.

 

I would like to start a discussion to gather recommandations about kernel parameters

The purpose is not to document here all possible parameters and values, but the most useful, based on your experience.

 

So, I start with 2 useful settings that I often configure in my cluster deployments :

 

  • fwha_forw_packet_to_not_active
    • Default value : 0. The active member  doesn't route packets to the standby member.Set it to "1" if you need to join standby's interfaces throught the active member
  • fw_allow_simultaneous_ping
    • Default value : 0. You can only ping the virtual IP of the cluster, not the real IP of the active memberSet it to "1" and you'll ping both.

 

Based on your inputs, maybe we might then create a configuration script to automate some kernel settings. Open discussion.

 

Regards,

 

Benoit

Outcomes