Hi Everyone, I have P-1 NGx R61 with HFA_01 on RedHat Linux ES and I have to modify one of the CMA to add the following parameter "keep_DF_flag" set it to 1 on my local Nokia IP380 firewall. According to Checkpoint SK17280:
Solution ID: #sk17280 Product: VPN-1 Pro (VPN-1/FW-1) Version: NG, NG AI, NGX Last Modified: 29-Nov-2006 Symptoms * Packets are fragmented, even though DF (Do not Fragment) bit is set Cause By default the DF (Do Not Fragment) bit is turned off, so even if a packet came with enabled DF bit, that packet will be fragmented. Solution By default, value of keep_DF_flag is 0, meaning the DF flag is turned off. If value of keep_DF_flag is set to 1, the Firewall keeps the DF bit on the original packet. Procedure: Starting from VPN-1/FireWall-1 NG FP3 this property exists in $FWDIR/conf/objects_5_0.C file and can be modified manually or with DBedit. (Add it if it is not defined.) For each Security Gateway object there are two attributes: * keep_DF_flag (used for the Security Gateway object). * keep_DF_flag_SR (downloaded to SecureRemote during "Download topology" action). I know how to use dbedit but I don't know exactly what the syntax is for this. Interestingly, the Checkpoint TAC engineer assigned to the case couldn't help me either. Thanks in advance. cisco4ng __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
