fwdebug

int

Holds HEX codes of 'error' flag and of 'warning' flag.

The debug flags of the 'fw' debug module, which eventually determine, which debug messages will be printed. For instructions on how to modify the parameter before reboot. Refer to sk31114.

fw_debug_kdbufsz

int

0

The debug buffer size.

fwkdbmaxlen

int

32 MB

The debug buffer size limit.

fw_kdprintf_limit

int

In 30

Controls the suppression mechanism of debug messages. If it is not "0", it indicates how many debug messages can be printed in 'fw_kdprintf_limit_time' seconds. Refer to sk74580.

fw_kdprintf_limit_time

int

60

Part of the suppression mechanism of debug messages. Refer to sk74580.

fwmonitormaxlen

int

100K

Half of the maximum size of the data buffer of the 'fw monitor' command.

fwhmem

int

20 MB

Size of memory allocated for hash tables (hmem) in bytes. Used for small allocations.

fwhmemmax

u_int

80 MB

The Maximum size in bytes that hash tables (hmem) can be extended to.

fw_allow_udp_port0

int

0

UDP port 0 dropped by default. Refer to sk27109.

fw_allow_tcp_port0

int

0

TCP port 0 dropped by default. Refer to sk27109.

fw_log_udp_port0

int

1

Do we log UDP port 0 drops?

fw_log_tcp_port0

int

1

Do we log TCP port 0 drops?

fwconn_smart_conn_reuse

int

1

Do we use a smart connection reuse algorithm, i.e., whenever a SYN packet is encountered on an established connection we change it to ACK and decide according to server's response. If server responds with an RST, connection is reused. Otherwise (server responds with an ACK), connection is not reused. Refer to sk24960 and sk39455.

fw_log_syn_on_estab

int

0

When SYN is encountered on an established connection and 'fwconn_smart_conn_reuse' is on, server may respond with an ACK packet, which means that the client's SYN was out of state. However, the client's SYN was not necessarily a malicious action. It may have been, for instance, a client application recovering from reboot. The following variable determines whether to log the previous SYN or not. (default=0)

fw_trust_rst_on_port

int

"Untrusted" (-2)

Should we trust Resets if Sequence Verifier is off? Refer to sk15984 and to sk40804.

fw_accept_syn_rst

int

FW_DONT_ACCEPT_SYN_RST (-2)

This variable specifies a certain service on which SYN-RST packet is allowed. Where it is allowed, previous connection is deleted (if it existed), and a new connection is always recorded, with state BOTH_FIN and without sequence verification. Refer to sk24960.

fw_trust_ack_resp_to_syn

int

0

Determine whether to trust server's ACK that follows client's SYN. The packet will pass or drop according to the value of 'fw_allow_out_of_state_syn_resp'.

listparams

int

0

When set, all the kernel global parameters are printed to the console. Refer to sk33156.

fw_allow_simultaneous_ping

int

0

Allow simultaneous ping to cluster Virtual IP address and to physical IP address of a cluster member by storing the ICMP Sequence number as one of the connection entry parameters, in order to differentiate between the two IP addresses. Otherwise, the connections look the same in certain directions. On a Single Gateway (not a cluster member) with working SecureXL, if this parameter is enabled, then currently existing ICMP connections might be adversely affected. ICMP connections that were established after enabling this parameter, will be handled correctly. On ClusterXL members, there is no such impact - regardless of SecureXL status. Refer to sk26874.

tcp_local_start_timeout

int

0

Override TCP start session timeout that is defined in the GUI.

tcp_local_end_timeout

int

0

Override TCP end session timeout that is defined in the GUI.

fwx_max_conns

int

25000

Maximum entries in several NAT tables, including 'fwx_alloc', which is in charge of Hide NAT. Refer to sk32224.

fwx_udp_hide_high

int

0

When not "0", a UDP connection from this (low) port will be hidden behind high port (10000+) instead of low ports (600-1023).

fwx_auth_expiration

int

120

Expiration in 'fwx_auth_table', used for folding to security servers.

fwx_cluster_hide_for_dynamic_routing

int

0

Enables cluster hide for dynamic routing protocols. Changing this variable also changes 'fwconn_override_dynamic_routing_collision'.

fwx_g_use_cluster_fold

int

1

Enables cluster fold.

Parameter exists since R77.10.

If a packet is sent to a Cluster Virtual IP address, and it arrives on an interface, on which this VIP address is not defined, then the cluster will not fold (perform internal NAT) the destination IP address from VIP address to physical IP address of that another interface, on which this packet was received.

Instead, the cluster will fold (perform internal NAT) the destination IP address from VIP address to physical IP address of the interface, on which this destination VIP address was defined.

Example:

Host --- (eth1) [Member] (eth2) ---

1. Host sends a packet to VIP address that is defined on eth2
2. Cluster member receives this packet on VIP that is defined on eth1
3. Cluster member will fold the destination IP address from VIP address of eth2 to physical IP address of eth2 (and not of eth1)

fwx_do_nat_cache

int

1

Should cache be used when trying to match on address translation rules.

Refer to sk21834.

fwx_g_max_rand_alloc_attempts

int

30

Maximum number of attempts to allocate a port before saying there are no available ports.

fw_local_interface_anti_spoofing

int

1

Local interface Anti-Spoofing verifies that no packet on the inbound chain has a source IP that matches one of the Gateway's IP addresses. This can be overridden by setting this parameter to "0".

fw_antispoofing_enabled

int

1

Anti-Spoofing is defined in the topology tab of interfaces. This global parameter can globally disable Anti-Spoofing checks in the enforcement module. To disable Anti-Spoofing checks, set this kernel global parameter to "0".

dns_allowed_chars

int

0

The ASCII enforcement as part of the DNS protocol enforcement checks that the domain names do not contain illegal characters. These illegal characters are any character other than letters (a-z, A-Z) digits (0-9) hyphen (-) and underscore (_). This global parameter allows adding up to 4 extra characters that have decimal value less than 128. For example, in order to allow backtick (`), define 'dns_allowed_chars' to the value "96". Refer to sk33601.

enforce_tkey_class_any

int

1

The DNS enforcement verifies that the TKEY/TSIG resource record class is "ANY". If this global parameter is set to "0", this field will be ignored.

When set, produces 'Bad Resource Record format, TKEY RR class is not ANY' and 'Bad Resource Record format, TSIG RR class is not ANY' logs on DNS class other than ANY.

dns_disable_servers_check

int

0

When enabling DNS TCP protocol enforcement, FireWall-1's current implementation limits the size of TCP data in a stream. This limitation is mainly relevant to zone transfers. When the limit is met, a log will be generated with the error message, "DNS data is too long". To overcome this limitation, change this kernel global parameter value from "0" to "1". This will allow traffic between defined DNS servers to pass, without DNS verification.

When set, allows TCP traffic between known servers to run unchecked.

Refer to sk31051.

SmartDefense Parameters

ws_debug_ip

IP Address

_

This parameter can be set, in order to focus on debug messages that are related to a specific IP address (Destination or Source).

To debug a specific IP (Dest and Src):
# fw ctl set ip ws_debug_ip IP_Address

To turn off the filter:
# fw ctl set ip ws_debug_ip 0

enforce_notify_header

int

0

When activated, produces "Illegal Notify message" log.

allow_dnssec_bit

int

1

Allows AD ('authentic data') bit in response packet. Refer to sk30214.

dns_maximum_message_length_overflow

int

2

Maximal additional bytes in query. When exceeded, produces 'Request packet too long, potential buffer overflow' log. Refer to sk37273.