Checkpoint Kernel Parameters

You are here:
< Back

Over the years, Checkpoint has introduced some rather obscure and useful features by exposing “kernel variables” that can be tweaked to change certain behavior. While this is not the most elegant solution, it involves the least amount of work because it requires no GUI changes. Modifying kernel variables is relatively straightforward once you know how. You perform the appropriate commands for your platform and reboot.

Let us assume that the kernel variable we want to modify is fw_allow_udp_port0. For the record, this particular variable allows packets to be sent from or to UDP port 0, which FireWall-1 normally drops. In order to allow these kinds of packets, we need to change the value of this parameter to 1. The value can be specified in decimal or hexadecimal (precede with an 0x for hexadecimal).

In general, you can substitute fw_allow_udp_port0 and 0x1 for the variable you want to modify and the value you wish to assign it, respectively.

On Solaris machines, add the following line to the bottom of the /etc/system 9 file, and reboot:

set fw:fw_allow_udp_port0=0x1

On a Nokia IPSO system (VPN-1 Appliance or Nokia IPxxx), you need to use the modzap utility. See FAQ: Nokia – Obtaining the MODZAP Utility

You can then use the following command line to modify the fw_allow_udp_port0 parameter and reboot the system:

nokia[admin]# modzap _fw_allow_udp_port0 $FWDIR/boot/modules/fwmod.o 0x1

NOTE! On IPSO, all kernel variables begin with an underscore (_).

On a Linux platform, you simply add the following line to $FWDIR/boot/modules/fwkern.conf 4and restart FireWall-1 (no reboot required):

fw_allow_udp_port0=1

For Windows, there is no way to modify kernel variables without getting a special utility called _fwpatch_ from Check Point support. In some cases, it is possible to tweak registry settings.