| Parameter | Parameter Type | Default Value | Description |
| fwdebug | int | Error flag and warning flag. If defined secure remote, only error flag. | The debug flags of the fw debug module, which eventually determine which debug messages will be printed. For instructions on how to modify the parameter before reboot, see sk26202. |
| fw_debug_kdbufsz | int | 0 | The debug buffer size. |
| fwkdbmaxlen | int | 32 MB | The debug buffer size limit. |
| fw_kdprintf_limit | int | In 30 | Controls the suppression mechanism of debug messages. If it is not "0", it indicates how many debug messages can be printed in fw_kdprintf_limit_time seconds. |
| fw_kdprintf_limit_time | int | 60 | Part of the suppression mechanism of debug messages. |
| fwmonitormaxlen | int | 100K | Half of the maximum size of the data buffer of the 'fw monitor' command. |
| fwhmem | int | 20 MB | Size of memory allocated for hash tables (hmem) in bytes. |
| fwhmemmax | u_int | 80 MB | The Maximum size in bytes that hash tables (hmem) can be extended to. |
| fw_allow_udp_port0 | Int (bool) | 1 | UDP port 0 dropped by default. |
| fw_allow_tcp_port0 | Int (bool) | 1 | TCP port 0 dropped by default |
| fw_log_udp_port0 | Int (bool) | 1 | Do we log UDP port 0 drops? |
| fw_log_tcp_port0 | Int (bool) | 1 | Do we log TCP port 0 drops? |
| fwconn_smart_conn_reuse | Int (bool) | 1 | Do we use a smart connection reuse algorithm, i.e. whenever a SYN packet is encountered on an established connection we change it to ACK and decide according to server's response. If server responds with an RST, connection is reused. Otherwise (server responds with an ACK), connection is not reused. |
| fw_log_syn_on_estab | Int (bool) | 0 | When SYN is encountered on an established connection and fwconn_smart_conn_reuse is on, server may respond with an ACK packet, which means that the client's SYN was out of state. However, the client's SYN was not necessarily a malicious action. It may have been, for instance, a client application recovering from reboot. The following variable determines whether to log the previous SYN or not. (default=0) |
| fw_trust_rst_on_port | int | "Untrusted" (-2) | Should we trust Resets if sequence verifier is off? |
| fw_accept_syn_rst | int | FW_DONT_ACCEPT_SYN_RST (-2) | This variable specifies a certain service on which SYN-RST packet is allowed. Where it is allowed, previous connection is deleted (if it existed), and a new connection is always recorded, with state BOTH_FIN and without sequence verification. |
| fw_trust_ack_resp_to_syn | Int (bool) | 0 | Determine whether to trust server's ACK that follows client's SYN. The packet will pass or drop according to the value of fw_allow_out_of_state_syn_resp. |
| Listparams | int |
| When set, all the kernel global parameters are printed to the console. |
| fw_allow_simultaneous_ping | Int (bool) | 0 | Allow simultaneous ping to virtual IP and real IP of a cluster machine by storing the ICMP sequence number as one of the connection entry parameters, in order to differentiate between the two IPs. Otherwise, the connections look the same in certain directions. Currently, the feature does not work with SXL. |
| tcp_local_start_timeout | int | 0 | Override TCP start session timeout that is defined in the GUI. |
| tcp_local_end_timeout | int | 0 | Override TCP end session timeout that is defined in the GUI. |
| fwx_max_conns | int | 25000 | Maximum entries in several NAT tables, including fwx_alloc, which is in charge of hide NAT. |
| fwx_udp_hide_high | int | 0 | When not "0", a UDP connection from this (low) port will be hidden behind high port (10000+) instead of low ports (600-1023). |
| fwx_auth_expiration | int | 120 | Expiration in fwx_auth_table, used for folding to security servers. |
| fwx_cluster_hide_for_dynamic_routing | int | 0 | Enables cluster hide for dynamic routing protocols. Changing this variable also changes fwconn_override_dynamic_routing_collision. |
| fwx_g_user_cluster_fold | int | 1 | Enables cluster fold. |
| fwx_do_nat_cache | int | 1 | Should cache be used when trying to match on address translation rules. |
| fwx_g_max_rand_alloc_attempts | int | 30 | Maximum number of attempts to allocate a port before saying there are no available ports. |
| fw_local_interface_anti_spoofing | int | 1 | Local interface anti-spoofing verifies that no packet on the inbound chain has a source IP that matches one of the Gateway's IP addresses. This can be overridden by setting this parameter to "0". |
| fw_antispoofing_enabled | int | 1 | Anti-Spoofing is defined in the topology tab of interfaces. This global parameter can globally disable Anti-Spoofing checks in the enforcement module. To disable anti-spoofing checks, set this kernel global parameter to "0". |
| dns_allowed_chars | int | 0 | The ASCII enforcement as part of the DNS protocol enforcement checks that the domain names do not contain illegal characters. These illegal characters are any character other than letters (a-z, A-Z) digits (0-9) hyphen (-) and underscore (_). This global parameter allows adding up to 4 extra characters that have decimal value less than 128. For example, in order to allow backtick (`) define dns_allowed_chars to the value "96". |
| enforce_tkey_class_any | int | 1 | The DNS enforcement verifies that the TKEY/TSIG resource record class is "ANY". If this global parameter is set to "0", this field will be ignored. |
| dns_disable_servers_check | int | 0 | When enabling DNS TCP protocol enforcement, VPN-1/FireWall-1's current implementation limits the size of TCP data in a stream. This limitation is mainly relevant to zone transfers. When the limit is met, a log will be generated with the error message, "DNS data is too long". To overcome this limitation, change this kernel global parameter value from "0" to "1". This will allow traffic between defined DNS servers to pass, without DNS verification. |
| SmartDefense Parameters | |||
| ws_debug_ip | ip | _ | This parameter can be set, in order to focus on debug messages that are related to a specific IP (destination or source). |
| enforce_notify_header | int | 0 | When activated, produces ?Illegal Notify message? log. |
| allow_dnssec_bit | int | 1 | Allows AD ('authentic data') bit in response packet. |
| dns_allowed_chars | int | 0 | User configured additional allowed characters in domain names. |
| dns_maximum_message_length_overflow | int | 2 | Maximal additional bytes in query. When exceeded, produces ?Request packet too long, potential buffer overflow? log. |
| enforce_tkey_class_any | int | 1 | When set, produces ?Bad Resource Record format, TKEY RR class is not ANY? and ?Bad Resource Record format, TSIG RR class is not ANY? logs on DNS class other than ANY. |
| dns_disable_servers_check | int | 0 | When set, allows TCP traffic between known servers to run unchecked. |
Sunday, September 26, 2010
Checkpoint Global Parameters
Warning: Check Point strongly recommends consulting Technical Support before editing the kernel global parameters. If a parameter is edited incorrectly, it may lead to serious problems.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.