How to enable ip forwarding when firewall policy is disabled for troubleshooting

book

Article ID: 167773

calendar_today

Updated On:

Products

XOS

Issue/Introduction

  • Firewall policy need to be disabled & ip-forwarding needs to be enabled to troubleshoot a connectivity or performance issue
    • (keep in mind this procedure can only be used if there is no NAT configured in the policy since the NAT functionality is provided by the firewall function.)

Resolution

1. Check current ip-forwarding status:
 
 
r7547_1 (Pod111): cat /proc/sys/net/ipv4/ip_forward
 
0
 
Note:- If the above command returns a 0, it is disabled. If it returns a 1, it is enabled.
 
2. Unload the security policy on the firewall (APM):
 
fw unloadlocal                         
 
3. Verify ip-forwarding is disabled as policy was uninstalled in previous step:  (command output should return '0')
 
 
r7547_1 (Pod111): cat /proc/sys/net/ipv4/ip_forward
 
0
 
4. Enable ip-forwarding
 
To change the value to enable ip-forwarding, simply echo a 1 into the file, like this:
 
r7547_1 (Pod111)echo 1 > /proc/sys/net/ipv4/ip_forward
 
5. Verify ip-forwarding is enabled now: (command output should return '1')
 
 
r7547_1 (Pod111): cat /proc/sys/net/ipv4/ip_forward
 
1
 
6. Perform troubleshooting
 
7. When finished disable ip-forwarding by:
 a) either running r7547_1 (Pod111): echo 0 > /proc/sys/net/ipv4/ip_forward OR
 b) push policy OR
 c) cprestart