fw unloadlocal and routing daemon stopping?

**mjensen** · 2019-01-16

Hello,

I have come across some conflicting information regarding the "fw unloadlocal" command and whether or not it stops the routing daemon on a Check Point appliance. I am not clear if it does or does not stop the routing daemon on a security gateway running R77.30. Can someone with experience with this command please clarify for me?

I am in a situation where I need to try something on a remote / out of state location's security gateway and it may break connectivity. My current back out plane is to have someone onsite provide me with a web ex session with local console port access and then issue the "fw unloadlocal" command. I know this removes the entire firewall policy and traffic is not inspected, but will routing still work to where I can push a new policy from the SMS?

Thank you.

**Bob_Zimmerman** · 2019-01-16

As far as I am aware, 'fw unloadlocal' should not stop routing.

I think the confusion happens because it unloads the whole policy, which includes NAT. Thus, any inbound NATs from public IPs to internal servers, and any outbound NATs from internal workstations to the Internet all stop. This creates the appearance of routing no longer functioning. Very, very few people use public IPs everywhere, so stopping NAT may as well be stopping routing in most environments.

Side-note: I have actually seen more people using public IPs they don't own internally than I have seen people using public IPs they do own internally.

**cciesec2006** · 2019-01-16

Originally Posted by Bob_Zimmerman

As far as I am aware, 'fw unloadlocal' should not stop routing.

I think the confusion happens because it unloads the whole policy, which includes NAT. Thus, any inbound NATs from public IPs to internal servers, and any outbound NATs from internal workstations to the Internet all stop. This creates the appearance of routing no longer functioning. Very, very few people use public IPs everywhere, so stopping NAT may as well be stopping routing in most environments.

Side-note: I have actually seen more people using public IPs they don't own internally than I have seen people using public IPs they do own internally.

I thought that with Linux or GAIA or IPSO for that matter, "fw unloadlocal" WILL stop routing because of this:

before "fw unloadlocal":
# cat /proc/sys/net/ipv4/ip_forward
1

after "fw unloadlocal"
# cat /proc/sys/net/ipv4/ip_forward
0

I am pretty sure when you perform "fw unloadlocal" you will stop routing on GAIA because the /proc/sys/net/ipv4/ip_forward value will be 0 at that point thus stop routing on the checkpoint gateway.

**ShadowPeak.com** · 2019-01-16

Originally Posted by mjensen

Hello,

I have come across some conflicting information regarding the "fw unloadlocal" command and whether or not it stops the routing daemon on a Check Point appliance. I am not clear if it does or does not stop the routing daemon on a security gateway running R77.30. Can someone with experience with this command please clarify for me?

I am in a situation where I need to try something on a remote / out of state location's security gateway and it may break connectivity. My current back out plane is to have someone onsite provide me with a web ex session with local console port access and then issue the "fw unloadlocal" command. I know this removes the entire firewall policy and traffic is not inspected, but will routing still work to where I can push a new policy from the SMS?

Thank you.

Running fw unloadlocal also changes the ip_forward kernel variable from 1 to 0. As such only traffic bound for a specific interface IP of the firewall will work, anything trying to route through the firewall will be dropped by the Gaia IP driver. If you'd like the firewall to continue forwarding traffic even after a fw unloadlocal, simply run this command:

echo 1 > /proc/sys/net/ipv4/ip_forward

Note that NAT will still not work even if forwarding is enabled.

--
CheckMates Break Out Sessions Speaker
CPX 2019 Las Vegas & Vienna - Tuesday@13:30

**Bob_Zimmerman** · 2019-01-17

Turns out this is one of the ways VSX differs. It definitely does not disable IP forwarding when you unload the policy. 'cpstop' disables IP forwarding, which makes sense, as it is intended to have broader effect than 'fw unloadlocal'.