CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 5 of 5

Thread: fw unloadlocal and routing daemon stopping?

  1. #1
    Join Date
    2018-04-18
    Posts
    46
    Rep Power
    0

    Default fw unloadlocal and routing daemon stopping?

    Hello,

    I have come across some conflicting information regarding the "fw unloadlocal" command and whether or not it stops the routing daemon on a Check Point appliance. I am not clear if it does or does not stop the routing daemon on a security gateway running R77.30. Can someone with experience with this command please clarify for me?


    I am in a situation where I need to try something on a remote / out of state location's security gateway and it may break connectivity. My current back out plane is to have someone onsite provide me with a web ex session with local console port access and then issue the "fw unloadlocal" command. I know this removes the entire firewall policy and traffic is not inspected, but will routing still work to where I can push a new policy from the SMS?


    Thank you.

  2. #2
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    289
    Rep Power
    12

    Default Re: fw unloadlocal and routing daemon stopping?

    As far as I am aware, 'fw unloadlocal' should not stop routing.

    I think the confusion happens because it unloads the whole policy, which includes NAT. Thus, any inbound NATs from public IPs to internal servers, and any outbound NATs from internal workstations to the Internet all stop. This creates the appearance of routing no longer functioning. Very, very few people use public IPs everywhere, so stopping NAT may as well be stopping routing in most environments.

    Side-note: I have actually seen more people using public IPs they don't own internally than I have seen people using public IPs they do own internally.
    Zimmie

  3. #3
    Join Date
    2006-09-26
    Posts
    3,179
    Rep Power
    16

    Default Re: fw unloadlocal and routing daemon stopping?

    Quote Originally Posted by Bob_Zimmerman View Post
    As far as I am aware, 'fw unloadlocal' should not stop routing.

    I think the confusion happens because it unloads the whole policy, which includes NAT. Thus, any inbound NATs from public IPs to internal servers, and any outbound NATs from internal workstations to the Internet all stop. This creates the appearance of routing no longer functioning. Very, very few people use public IPs everywhere, so stopping NAT may as well be stopping routing in most environments.

    Side-note: I have actually seen more people using public IPs they don't own internally than I have seen people using public IPs they do own internally.
    I thought that with Linux or GAIA or IPSO for that matter, "fw unloadlocal" WILL stop routing because of this:

    before "fw unloadlocal":
    # cat /proc/sys/net/ipv4/ip_forward
    1

    after "fw unloadlocal"
    # cat /proc/sys/net/ipv4/ip_forward
    0

    I am pretty sure when you perform "fw unloadlocal" you will stop routing on GAIA because the /proc/sys/net/ipv4/ip_forward value will be 0 at that point thus stop routing on the checkpoint gateway.

  4. #4
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,242
    Rep Power
    13

    Default Re: fw unloadlocal and routing daemon stopping?

    Quote Originally Posted by mjensen View Post
    Hello,

    I have come across some conflicting information regarding the "fw unloadlocal" command and whether or not it stops the routing daemon on a Check Point appliance. I am not clear if it does or does not stop the routing daemon on a security gateway running R77.30. Can someone with experience with this command please clarify for me?


    I am in a situation where I need to try something on a remote / out of state location's security gateway and it may break connectivity. My current back out plane is to have someone onsite provide me with a web ex session with local console port access and then issue the "fw unloadlocal" command. I know this removes the entire firewall policy and traffic is not inspected, but will routing still work to where I can push a new policy from the SMS?


    Thank you.
    Running fw unloadlocal also changes the ip_forward kernel variable from 1 to 0. As such only traffic bound for a specific interface IP of the firewall will work, anything trying to route through the firewall will be dropped by the Gaia IP driver. If you'd like the firewall to continue forwarding traffic even after a fw unloadlocal, simply run this command:

    echo 1 > /proc/sys/net/ipv4/ip_forward

    Note that NAT will still not work even if forwarding is enabled.

    --
    CheckMates Break Out Sessions Speaker
    CPX 2019 Las Vegas & Vienna - Tuesday@13:30
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  5. #5
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    289
    Rep Power
    12

    Default Re: fw unloadlocal and routing daemon stopping?

    Turns out this is one of the ways VSX differs. It definitely does not disable IP forwarding when you unload the policy. 'cpstop' disables IP forwarding, which makes sense, as it is intended to have broader effect than 'fw unloadlocal'.
    Zimmie

Similar Threads

  1. ICLID: Error: timeout talking to routing daemon.
    By stacy99 in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 4
    Last Post: 2009-12-29, 18:12
  2. Fw unloadlocal
    By kr_madan in forum Miscellaneous
    Replies: 9
    Last Post: 2008-08-07, 07:19
  3. Cannot Start routing daemon in VSX
    By klapczuk in forum VPN-1 VSX
    Replies: 4
    Last Post: 2006-09-01, 09:13
  4. "fw unloadlocal”
    By humayun in forum Miscellaneous
    Replies: 1
    Last Post: 2006-06-16, 14:27
  5. fw unloadlocal
    By humayun in forum Miscellaneous
    Replies: 10
    Last Post: 2006-03-15, 16:21

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •