[原文]FireWall-1 4.1 with a limited-IP license allows remote attackers to cause a denial of service by sending a large number of spoofed IP packets with various source addresses to the inside interface, which floods the console with warning messages and consumes CPU resources.
Check Point FireWall-1 contains a flaw that may allow a remote denial of service. The issue is triggered when a remote attacker sends a large amount of spoofed packets to the internal interface of a FireWall-1 machine using a limited-IP license, and will result in loss of availability for the firewall.
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: issue a "fw ctl debug -buf" to prevent the console logging from consuming excessive CPU.