Common Error Messages in the System Log
One thing there is no shortage of in FireWall-1 is error messages. The following subsections highlight several common errors and what you can do to prevent them.
Several of these FAQs reference HFA-xxx versions. These are called Hotfix Accumulators, something Check Point Support started generating since FireWall-1 NG FP3. They are simply "jumbo hotfixes" that include fixes for a number of issues combined. These fixes can be obtained from Check Point Support, which users with a direct support agreement can do. Companies that provide support for Check Point products can also provide these hotfixes. The same applies for almost any other
6.6 Local Interface
Local interface anti-spoofing is a different
of anti-spoofing than the one configured in the gateway object for the firewall. FireWall-1
any packet it receives with a source IP address of one of the firewall's local interfaces that the firewall did not originate. You might see this if you plug two or more physical interfaces on different logical interfaces into the same hub.
You can disable local interface anti-spoofing by changing the FireWall-1 kernel variable
. For more details on how to change FireWall-1 kernel
, see FAQ 6.1.
6.7 Tried to
Known Service Port, Port xxxx
The error message "Host tried to open known service port" shows up with services that use multiple ports for their communication. This error is most common with FTP but can also occur with other services. By default, FireWall-1 does not allow services that negotiate data ports to choose a service that is defined in FireWall-1. This check can be disabled by editing
on the management console and reinstalling the security policy.
In theory, this check
from using the control connection of an allowed service such as FTP to open a service that may not
be allowed between the client and server. However, this check applies only to predefined services. Someone interested in subverting the firewall in this manner could just as easily choose a service port undefined in FireWall-1 and, instead of using an FTP data connection, do something else through it. Because of this, I do not see this check providing real value, and any value it does have is overshadowed by the fact that it frequently breaks
In FireWall-1 NG FP1 and above, you can resolve this problem by editing
on the management station. Add the following line in the following location (the line to add is set in bold):
// (c) Copyright 1993-2001 Check Point Software Technologies Ltd.
// All rights reserved.
This line effectively disables the macros that check for defined services. The change will take effect once the security policy is
to the enforcement points.
6.8 Virtual Defragmentation Errors
In order to determine whether or not a
packet should be allowed, FireWall-1 holds all
it receives until it can assemble the entire packet in memory. If the
packet would normally pass, FireWall-1
the packet but sends it out as it was received ”fragmented ”thus the
. If FireWall-1 doesn't receive all the fragments for the packet or the fragment table fills up, which may occur during a fragmentation-based denial-of-service (DoS) attack, FireWall-1 drops the fragments and does not forward them, generating log messages along the way.
6.9 Too Many Internal
This error shows up when you have a node-limited firewall license and FireWall-1 believes you have violated the license because it has "seen" too many hosts on the internal interfaces. Note that the configuration in the Topology section of the gateway object determines which interfaces are internal and external. (See Fun with Check Point Licensing in Chapter 2 for discussion of node-limited licenses and their enforcement.)
If you see this error, it means the number of discrete IP addresses protected by the firewall has exceeded the license limitation. Anything behind your firewall with an IP address will eventually be
, regardless of whether or not the host traverses the firewall. Machines with multiple IP addresses and machines that change their IP addresses will be counted more than once.
When the license is exceeded by a large number of hosts on a busy network, FireWall-1 will
itself with logging and messages about
your license. In extreme cases, this will cause the firewall to process traffic very slowly, if at all. Note, however, that FireWall-1 will still continue to pass traffic, even from those hosts that exceed the license count. However, performance may be severely degraded because FireWall-1 spends time
you that your license count has been exceeded.
You can get a count of the number of hosts by entering the command
fw tab -t host_table “s
. The entry under the
heading corresponds to the number of hosts it has counted. You can see which IP addresses are currently being counted against your license by issuing the command
You will have to reset FireWall-1 in regards to the IP addresses it has erroneously logged as internal. Remove the
files and restart FireWall-1. You can also reset the table with
fw tab -t host_table “x
6.10 **Pth** SCHEDULER INTERNAL ERROR: No More Thread(s) Available to Schedule
This error comes up during policy installations from SmartDashboard/Policy Editor. You can safely ignore this message.
6.11 Target localhost Is Not Defined as an NG Module, Please Use the
This message also shows up during policy installations from SmartDashboard/Policy Editor. Unfortunately, this error indicates that one or more objects in the
file have been corrupted. There are a few ways to proceed.
If the management station was upgraded recently, try
to the prior release and use the Upgrade Verifier to ensure consistency. You can download this utility from http://www.checkpoint.com/techsupport/downloadsng/utilities.html.
With the management station
. Restart the management station (
) and see if the problem still occurs.
Check for duplicate IP addresses in the firewall and management gateway objects.
Upgrade to NG FP3, HFA-306, later HFA hot fixes, or NG AI. These versions resolve this issue.
6.12 Invalid Value in the Access Attribute: Undefined: File Exists
This error occurs when the topology settings have not been defined in the FireWall-1/VPN-1 version 4.1 object interfaces. This error message is harmless, and the policy does get installed on the version 4.1 module. To correct this situation, edit the FireWall-1/VPN-1 version 4.1 object interfaces properties and configure the topology settings with the appropriate options for your network configuration.
6.13 mbuf_alloc(1500): Cluster
If the firewall policy is installed when there is heavy traffic, the "mbuf_alloc" debug message may be displayed on the console. The message can be safely ignored.
6.14 Log Buffer Is Full, Error: Lost xxx Log/Trap Messages
The kernel module maintains a buffer of waiting log messages that it gives to
to send to the management module. The buffer is circular, so high levels of logging may cause buffer entries to be overwritten before they can be sent to
. When this happens, the system log will display messages indicating that log entries are being lost.
One solution to this issue is to reduce the amount of logging done. Disable any accounting rules that you can. Eliminate as much logging as possible.
Another solution is to increase the size of this buffer. In FireWall-1 NG, you will need to change the
kernel variable. This should be set to a value of
or higher. FAQ 6.1 explains how to set these kernel variables.