Support Center > Search Results > SecureKnowledge Details
How to control a Gaia Embedded Security Gateway's global kernel parameters from the Security Management Server Technical Level
Solution

Global kernel parameters control a Security Gateway's configuration options (see sk26202).

Gaia Embedded appliances running version R80.20.20 or above support a generic procedure to control global kernel parameters centrally from the Security Management Server.

To do this, define a special table in Inspect code on the Security Management Server.
By default, this table does not exist. If it was defined and the Security Gateway version is lower than R80.20.20, then there is no effect. (The policy installation succeeds, but the parameters do not change.)

If the table was defined, and the access policy was installed from that Security Management Server on a R80.20.20 (or higher) Gaia Embedded appliance, then the kernel global parameters defined in it change on the Gateways on which the policy was installed, according to what the user has defined.

Define this on the Security Management Server, in the lib/table.def file, in the BC package directory of R80.x SMB appliances. For example, in R80.40 Security Management Servers, the location is /opt/CPSFWR80CMP-R80.40/lib/table.def. See sk98339 for more details.

The example below shows how to set three global kernel parameters:

vpn_tunnel_test_from_internal,  fw_kdprintf_limit and cphwd_hard_conn_limit.

#define GLOBAL_PARAM(__p) deffunc __p () {}

GLOBAL_PARAM(vpn_tunnel_test_from_internal);
GLOBAL_PARAM(fw_kdprintf_limit);
GLOBAL_PARAM(cphwd_hard_conn_limit);

global_kernel_int_params = {
                                 < &vpn_tunnel_test_from_internal; 1 >,
                                 < &fw_kdprintf_limit; 101 >,
                                 < &cphwd_hard_conn_limit; 99999 >
                       };

Then, when policy installation occurs, the values change accordingly.

Only int parameters are supported (parameters that can be changed on the Security Gateway using fw ctl set int). You can set any global int parameter with a length of fewer than 32 characters.

It is also possible to specify a Security Gateway (or a list of Security Gateways) on which the changes will be defined) in the following way:

all@myGW global_kernel_int_params = { 
...
};

all@myOtherGW global_kernel_int_params = { 
...
};

(Include the GLOBAL_PARAM section only once).

Related Solution:

sk26202 - Changing the kernel global parameters for Check Point Security Gateway

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment