I’ve spent a lot of tinkering with checkpoint and secure platform, in my first post on the topic here are a few good commands for administering interfaces under the operating system.
1) Add Vlan interface
config conn add type vlan local “x.x.x.x/xx” vlan-tag “xxx” dev “interface”e.g.
config conn add type vlan local 192.168.1.1/24 vlan-tag 100 dev eth0
Will add vlan interface eth0.100 with ip 192.168.1.1/24
If you do a “config conn help” it will show all options available within this tool. If you are configuring a Firewall Cluster the VIP and topology changes must be made in Smart Dashboard.
2) Add untagged interface
config conn set local “x.x.x.x/xx” name “inf_name”
3)To delete an interface
config conn del name “interface”
4) ARP limitations in SPLAT
There is a ‘feature’ with SPLAT where the ARP table will only hold 1000 ARP entries. This may be restricting on a firewall with a lot of interfaces, or is directly connect to a lot of hosts (ie management network firewall). As per the checkpoint KB.
Problem: The default value of the gc_thresh3 file is not enough to contain all of the ARP entries. The ARP entries are overflowing the table. Solution: The following command will change the default value of the gc_thresh3 file:
echo 10000 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
To make those changes persistent:
vi /etc/sysctl.confadd net.ipv4.neigh.default.gc_thresh3 = 10000
5) Interface Speed/Duplex
ethtool -s “interface” speed 100 duplex full autoneg off
To make those changes persistent:
vi /etc/rc.local.
Add the following to end of the file:
/sbin/ethtool -s “interface” speed 100 duplex full autoneg off