Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Brad_Armstrong1
Explorer

Forbidden IP Option

We are dropping icmp traffic, in tracker says "ip option: 131, message_info: Forbidden IP Option".  How to I allow this traffic.  This is R74.47 GAIA.   Thanks.

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

I assume you mean R75.47

Solution is described in the following SK: “Forbidden IP option” drop log in SmartView Tracker for ICMP packets with IP Options

0 Kudos
Brad_Armstrong1
Explorer

Yes, typo, meant R75.47 GAIA.  I saw that SK article but don't quite understand, could you explain?  Thanks.

0 Kudos
PhoneBoy
Admin
Admin

The TL;DR: We block packets with IP Options by default.

To allow ICMP packets with IP Options to pass, you need to change the kernel variable described in the SK.

This will allow the packets to pass.

0 Kudos
Brad_Armstrong1
Explorer

Sorry my England is not great.  I follow sk but doesn't seem to be working.  Can you give me the commands you would use to do this? Thanks.

0 Kudos
PhoneBoy
Admin
Admin

The exact commands are documented in the SK.

If you're having issues, I recommend engaging with our TAC: Contact Support | Check Point Software 

0 Kudos
Hugo_vd_Kooij
Advisor

I am not sure if TAC will take a ticket on R75.47 anymore.

It is unsupported for while now.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
PhoneBoy
Admin
Admin

"Best effort" support for sure but the process described in the SK is fairly generic.

0 Kudos