Wednesday, July 26, 2017

Turning out of state drops on and off on your gateways without pushing policy

One of the regular issues I help my customers resolving is about out of state drops. there might be multiple causes, and those should be addressed by proper troubleshooting and network configuration changes.

However, there are cases when you just need a quick fix before addressing the root case of the problem.

The classic way to do that is to change Global Properties settings on your management and to install policy. The biggest problem with that approach is that the settings are global and will affect all FWs in the security domain after a policy push.

But no worries, there is a way around it, described in SK117374. Fw kernel has two parameter that define out of state drops for TCP and ICMP:

fw_allow_out_of_state_tcp
fw_allow_out_of_state_icmp

For example, by running fw ctl set int fw_allow_out_of_state_tcp 1  you can allow TCP traffic to pass through. Setting the same parameter to 0 will start dropping out of state TCP again.


-----------
Support CPET project and this blog with your donations to https://www.paypal.me/cpvideonuggets 

No comments:

Post a Comment