Support Center > Search Results > SecureKnowledge Details
Unloading policy from a VSX Security Gateway
Symptoms
  • "The policy on the VSX Gateway cannot be uninstalled while there are policies installed on Virtual Systems" message appears when trying to uninstall policy from the VSX Gateway with fw unloadlocal command.
Solution

Important Note

Unloading a policy from Check Point Security Gateway fully exposes the Security Gateway.

 

Background

  • On a non-VSX Security Gateway:

    There is only one policy, which can be simply uninstalled by running the 'fw unloadlocal' command in Expert Mode:

    [Expert@HostName]# fw unloadlocal

  • On a VSX Gateway:

    Each Virtual System / Virtual Router has its own policy, and the VSX Gateway itself has its own policy. By design, it is not possible to uninstall policy from VSX Gateway itself, unless policies were uninstalled from each Virtual System / Virtual Router.

 

Procedure

  1. Check the IDs of all Virtual Systems / Virtual Routers:

    [Expert@HostName:0]# vsx stat -v

  2. Uninstall the policy on the desired (on each) Virtual System / Virtual Router:

    • On pre-R75.40VS versions:

      [Expert@HostName:0]# fw -vs VSID unloadlocal

    • On R75.40VS / R76 and above:

      [Expert@HostName:0]# vsenv VSID
      [Expert@HostName:VSID]# fw unloadlocal


    Important Note: It is possible to uninstall the policy from all Virtual Systems / Virtual Routers at once:

    [Expert@HostName:0]# fw vsx unloadall
    This will uninstall security policy from all the Virtual Devices.
    Are you sure you wish to proceed? (y|n) [y]
    


  3. Uninstall the policy from the VSX Gateway (if needed):

    • On pre-R75.40VS versions:

      [Expert@HostName:0]# fw unloadlocal
      or
      [Expert@HostName:0]# fw -vs 0 unloadlocal

    • On R75.40VS / R76 and above:

      [Expert@HostName:VSID]# vsenv 0
      [Expert@HostName:0]# fw unloadlocal


  4. Check the status of policies:

    [Expert@HostName:0]# vsx stat -v

 

IP traffic forwarding when a policy is uninstalled

  • On a non-VSX Security Gateway:

    When a policy is uninstalled, then the IPv4 traffic forwarding is disabled automatically by pushing a value 0 (zero) to /proc/sys/net/ipv4/ip_forward.

  • On a VSX Gateway (all versions):

    • When a policy is uninstalled from a Virtual System, then the IPv4 traffic forwarding is not disabled via the /proc/sys/net/ipv4/ip_forward parameter, because this is a global parameter.

      By design, the traffic will be dropped by that Virtual System. This is done to simulate the disabling of IP forwarding that occurs on a non-VSX machine when a policy is unloaded, because the real IP forwarding at the OS level is not done per Virtual System.

    • When a policy is uninstalled from a VSX Gateway itself (that runs in VSX mode) - i.e., VSID 0, then the IPv4 traffic forwarding will be disabled via the /proc/sys/net/ipv4/ip_forward parameter, because VS0 behaves like a non-VSX mode.

      It is possible to enable IPv4 traffic forwarding only for VS0 by pushing a value 1 (one) to /proc/sys/net/ipv4/ip_forward:
      [Expert@HostName]# echo 1 > /proc/sys/net/ipv4/ip_forward

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment