One thing there is no shortage of in FireWall-1 is error messages. The following subsections highlight several common errors and what you can do to prevent them.
Several of these FAQs reference HFA-xxx versions. These are called Hotfix Accumulators, something Check Point Support started generating since FireWall-1 NG FP3. They are simply "jumbo hotfixes" that include fixes for a number of issues combined. These fixes can be obtained from Check Point Support, which users with a direct support agreement can do. Companies that provide support for Check Point products can also provide these hotfixes. The same applies for almost any other hotfix mentioned.
Local interface anti-spoofing is a different sort of anti-spoofing than the one configured in the gateway object for the firewall. FireWall-1 drops any packet it receives with a source IP address of one of the firewall's local interfaces that the firewall did not originate. You might see this if you plug two or more physical interfaces on different logical interfaces into the same hub.
You can disable local interface anti-spoofing by changing the FireWall-1 kernel variable fw_local_interface_anti_spoofing to 0. For more details on how to change FireWall-1 kernel variables, see FAQ 6.1.
The error message "Host tried to open known service port" shows up with services that use multiple ports for their communication. This error is most common with FTP but can also occur with other services. By default, FireWall-1 does not allow services that negotiate data ports to choose a service that is defined in FireWall-1. This check can be disabled by editing $FWDIR/lib/base.def on the management console and reinstalling the security policy.
In theory, this check prevents anyone from using the control connection of an allowed service such as FTP to open a service that may not otherwise be allowed between the client and server. However, this check applies only to predefined services. Someone interested in subverting the firewall in this manner could just as easily choose a service port undefined in FireWall-1 and, instead of using an FTP data connection, do something else through it. Because of this, I do not see this check providing real value, and any value it does have is overshadowed by the fact that it frequently breaks legitimate FTP usage.
In FireWall-1 NG FP1 and above, you can resolve this problem by editing $FWDIR/lib/base.def on the management station. Add the following line in the following location (the line to add is set in bold):
#ifndef __base_def__ #define __base_def__ #define NO_SERVER_PORT_CHECK #include "services.def" // // (c) Copyright 1993-2001 Check Point Software Technologies Ltd. // All rights reserved.
This line effectively disables the macros that check for defined services. The change will take effect once the security policy is pushed to the enforcement points.
In order to determine whether or not a fragmented packet should be allowed, FireWall-1 holds all fragments it receives until it can assemble the entire packet in memory. If the assembled packet would normally pass, FireWall-1 passes the packet but sends it out as it was received?fragmented?thus the term virtual defragmentation. If FireWall-1 doesn't receive all the fragments for the packet or the fragment table fills up, which may occur during a fragmentation-based denial-of-service (DoS) attack, FireWall-1 drops the fragments and does not forward them, generating log messages along the way.
This error shows up when you have a node-limited firewall license and FireWall-1 believes you have violated the license because it has "seen" too many hosts on the internal interfaces. Note that the configuration in the Topology section of the gateway object determines which interfaces are internal and external. (See Fun with Check Point Licensing in Chapter 2 for discussion of node-limited licenses and their enforcement.)
If you see this error, it means the number of discrete IP addresses protected by the firewall has exceeded the license limitation. Anything behind your firewall with an IP address will eventually be discovered, regardless of whether or not the host traverses the firewall. Machines with multiple IP addresses and machines that change their IP addresses will be counted more than once.
When the license is exceeded by a large number of hosts on a busy network, FireWall-1 will consume itself with logging and messages about exceeding your license. In extreme cases, this will cause the firewall to process traffic very slowly, if at all. Note, however, that FireWall-1 will still continue to pass traffic, even from those hosts that exceed the license count. However, performance may be severely degraded because FireWall-1 spends time notifying you that your license count has been exceeded.
You can get a count of the number of hosts by entering the command fw tab -t host_table ?s. The entry under the #VALS heading corresponds to the number of hosts it has counted. You can see which IP addresses are currently being counted against your license by issuing the command fw lichosts.
You will have to reset FireWall-1 in regards to the IP addresses it has erroneously logged as internal. Remove the $FWDIR/database/fwd.h and $FWDIR/database/fwd.hosts files and restart FireWall-1. You can also reset the table with fw tab -t host_table ?x.
This error comes up during policy installations from SmartDashboard/Policy Editor. You can safely ignore this message.
This message also shows up during policy installations from SmartDashboard/Policy Editor. Unfortunately, this error indicates that one or more objects in the $FWDIR/conf/objects_5_0.C file have been corrupted. There are a few ways to proceed.
If the management station was upgraded recently, try downgrading to the prior release and use the Upgrade Verifier to ensure consistency. You can download this utility from http://www.checkpoint.com/techsupport/downloadsng/utilities.html.
With the management station stopped (cpstop), replace $FWDIR/conf/objects_5_0.C with $FWDIR/conf/objects_5_0.C.backup. Restart the management station (cpstart) and see if the problem still occurs.
Check for duplicate IP addresses in the firewall and management gateway objects.
Upgrade to NG FP3, HFA-306, later HFA hot fixes, or NG AI. These versions resolve this issue.
This error occurs when the topology settings have not been defined in the FireWall-1/VPN-1 version 4.1 object interfaces. This error message is harmless, and the policy does get installed on the version 4.1 module. To correct this situation, edit the FireWall-1/VPN-1 version 4.1 object interfaces properties and configure the topology settings with the appropriate options for your network configuration.
If the firewall policy is installed when there is heavy traffic, the "mbuf_alloc" debug message may be displayed on the console. The message can be safely ignored.
The kernel module maintains a buffer of waiting log messages that it gives to fwd to send to the management module. The buffer is circular, so high levels of logging may cause buffer entries to be overwritten before they can be sent to fwd. When this happens, the system log will display messages indicating that log entries are being lost.
One solution to this issue is to reduce the amount of logging done. Disable any accounting rules that you can. Eliminate as much logging as possible.
Another solution is to increase the size of this buffer. In FireWall-1 NG, you will need to change the fw_log_bufsize kernel variable. This should be set to a value of 0x40000 or higher. FAQ 6.1 explains how to set these kernel variables.