Secure Platform Interface Commands

I’ve spent a lot of tinkering with checkpoint and secure platform, in my first post on the topic here are a few good commands for administering interfaces under the operating system.

1) Add Vlan interface

config conn add type vlan local “x.x.x.x/xx” vlan-tag “xxx” dev “interface”e.g.

config conn add  type vlan local vlan-tag 100 dev eth0

Will add vlan interface eth0.100 with ip

If you do a “config conn help” it will show all options available within this tool. If you are configuring a Firewall Cluster the VIP and topology changes must be made in Smart Dashboard.

2) Add untagged interface

config conn set local “x.x.x.x/xx” name “inf_name”

3)To delete an interface

config conn del name “interface”

4) ARP limitations in SPLAT

There is a ‘feature’ with SPLAT where the ARP table will only hold 1000 ARP entries. This may be restricting on a firewall with a lot of interfaces, or is directly connect to a lot of hosts (ie management  network firewall). As per the checkpoint KB.

Problem: The default value of the gc_thresh3 file is not enough to contain all of the ARP entries. The ARP entries are overflowing the table. Solution: The following command will change the default value of the gc_thresh3 file:

echo 10000 > /proc/sys/net/ipv4/neigh/default/gc_thresh3

To make those changes persistent:

vi /etc/sysctl.confadd net.ipv4.neigh.default.gc_thresh3 = 10000

5) Interface Speed/Duplex

ethtool -s “interface” speed 100 duplex full autoneg off

To make those changes persistent:

vi /etc/rc.local.

Add the following to end of the file:

/sbin/ethtool -s “interface” speed 100 duplex full autoneg off

1 comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.