Re: [FW-1] IPSO nokia FAST/SLOW PATH

Mon, 01 Oct 2007 04:36:29 -0700 

Paolo www.paoloriviello.com a écrit :

HI ALL,
how can I know if FW-1 is running on nokia ipso in fast or slow path mode ?


To temporarily disable it, one can issue the command:
ipsofwd slowpath
This also clears the flows tables. To re-enable it, use the command:
ipsofwd flowpath
To make this change "permanent,"replace the line in $FWDIR/bin/fwstart that says "ipsofwd flowpath" with "ipsofwd slowpath" in NG FP3 and above. In NG FP2 and earlier releases, add the command "ipsofwd slowpath" just before the exit $err near the end of the $CPDIR/etc/rc-Amu.d/S99cpboot script (In FireWall-1 4.1 and earlier, make the change in $FWDIR/bin/fwstart instead). 
*This command does not work when SecureXL is enabled in IPSO 3.8 or later.
*so you should check your starting scripts and check for the ipsofwd command above. 
flows (ie fastpath) is enabled by default on 3.3 and higher.

for the diskless, to disable the flows, here is the procedure
In diskless platform system, $FWDIR/bin directory is restored original file when the box is rebooted. Therefore, even if you modify "$FWDIR/bin/fwstart", the change does not remain when the box is rebooted. 
To overcome this limitation:

  1. Make a copy of $FWDIR/bin/fwstart under /var/etc/ and modify its
     name to fwstart.slowpath.
         nokia[admin]# *cp $FWDIR/bin/fwstart /var/etc/fwstart.slowpath*
  2. Modify /var/etc/fwstart.slowpath as follows:
         (original) ipsofwd flowpath-> (modify) ipsofwd slowpath
  3. Add following script in /var/etc/rc.local. This script will force
     the diskless system to stay in "slowpath".

     #!/bin/sh
     sleep 60
     ipsofwd slowpath
     sleep 60
     cp $FWDIR/bin/fwstart /var/etc/fwstart.old
     cp /var/etc/fwstart.slowpath $FWDIR/bin/fwstart

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

Reply via email to