Tuesday, March 29, 2016

One Management database parameter you never want to change

If you ever pushed Check Point policy, you know there is a verification process preceding compilation and installation stages.

Security Management Server needs to check rulebase and objects integrity before compilation. Sometimes, when you make an error in the rulebase, you will have a verification message about it. Most errors are about shadowing rules and broken rulebase logics.

However, there is a parameter in your Management Database that defines whether or not such verification even takes place. Yes, that's right, you can disable policy verification.

Important note: disabling policy verification is extremely dangerous. It may lead to a severe security breach or to a serious business continuity accident. I sincerely discourage you to change the parameter on any of your production security systems.

So, after the warning, let's take a look. There is a SecureKnowledge article sk31104 explaining the parameter in question. It is called "fw_light_verify". One can only access it through GUIDBEdit tool. I do not want to elaborate how the parameter works, SK article does it perfectly.

One might ask, why does it even exist? The answer is simple: there are some scenarios where controlled use of such parameter actually can help resolving issues. For example, when running vsx_util upgrade in a very complex environment, there can be a very rare case of process being stuck. the reason is that the tool eventually recompiles all VSX related policies on all Security Domains. If some of the policies are too big, and there are too many objects, verification takes too much time and times out, causing upgrade process to fail in the middle. There is an SK article describing this scenario: sk108693.

Final note: I have tried changing the parameter in the lab, and indeed it allows you to install some weird policies, for example, with the first ANY-ANY-DROP rule and more elaborate rules afterwards. I hope you understand the implications here. Never use this in production unless advised by your Check Point support engineer. 

To support Check Point Video Nuggets project send your donations to https://www.paypal.me/cpvideonuggets

To support this blog simply subscribe to Indeni tech news via this link.

1 comment: