topic can't enable USFW on openserver in Firewall and Security Management

can't enable USFW on openserver

Wolfgang — Tue, 05 Apr 2022 11:39:20 GMT

CheckMates,

we tried to enable USFW on an openserver running R81.10., with 2 cores.

cpprod_util FwSetUsermode 1
cpprod_util FwSetUsfwMachine 1

After reboot both values are back to "0"

In the logs from starting we found "Toggling usermode might have an effect on GW CoreXL split", meaning something changed the values we set before. Founf script "/var/opt/fw.boot/fw1boot" with the following entry:

# Relevant only for Open Servers
# WA - until Open Servers will boot in Kerenl mode by default (appliance_config.xml)
# "Other" - can be Open Server or cloud, but cloud environment run only on kernel space anyway

if [ "$OPEN_SERVER_OVERRIDE" == 0 ] && [ "$MGMT" != 1 ] && [[ ( "$ISSMTOPENSERVER" == "1" && "$ALLOWED_CORES" -le "20") || ( $MANUFACTURER == "Other" && "$ALLOWED_CORES" -le "40") ]] ; then
if [ "$USERMODE" == 1 ]; then
$CPDIR/bin/cpprod_util FwSetUsermode 0
$CPDIR/bin/cpprod_util FwSetUsfwMachine 0

As a result USFW goes back to KMFW with only 2 cores....

Question => How to enable USFW on a 2 core Open Server ?

Re: can't enable USFW on openserver

_Val_ — Tue, 05 Apr 2022 12:06:28 GMT

USFW on open server is only supported with 40 and more cores, look into sk167052. Why do you need it for 2 cores only?

Re: can't enable USFW on openserver

Wolfgang — Tue, 05 Apr 2022 12:16:05 GMT

No @_Val_ , there is no statement in the sk that this is not supported. It's only not enabled by default.

I know and I really understand that USFW is a little bit useless with only 2 cores. What we want to achieve... We want to use TLS1.3 inspection, which requires USFW enabled.

https://community.checkpoint.com/t5/Threat-Prevention/HTTPS-inspection-of-TLS1-3-and-USFW/m-p/141737#M3553

Re: can't enable USFW on openserver

_Val_ — Tue, 05 Apr 2022 12:23:26 GMT

Uh, yes, you are right.

Try this:

cpprod_util FwSetOverrideMode 1
cpprod_util FwSetUsermode 1
cpprod_util FwSetUsfwMachine 1
reboot

Re: can't enable USFW on openserver

Wolfgang — Tue, 05 Apr 2022 12:31:45 GMT

@_Val_ we saw this magic value "FwSetOverrideMode" and tried, looks good.

Will this be the supported way to enable USFW on open server with less then 40 cores?

Re: can't enable USFW on openserver

_Val_ — Tue, 05 Apr 2022 12:58:47 GMT

For the official answer to this question, please check with TAC. I think their answer will be the same though...

Re: can't enable USFW on openserver

RamGuy239 — Wed, 30 Nov 2022 08:31:07 GMT

@_Val_ I just tried switching a HA cluster running R81.10 Take 79 from KMFW to USFW, this is open server. I used the new recommended method of using cpconfig -> (10) Check Point CoreXL -> (3) Change firewall mode.

But upon boot, it seems to be some kind of check going on that reverts it back to KMFW automatically ($FWDIR/scripts/override_server_settings.sh?). Do you know if doing this manually via cpprod_util is expected to behave any differently? USFW is required in order to enable TLS 1.3 support for HTTPS Inspection (fwtls_enable_tlsio=1).

With the push into USFW as default on appliances, it seems rather strange to enforce KMFW on open server in such a way. Especially when features such as TLS 1.3 requires USFW. Rather strange to not have the cpconfig -> (10) Check Point CoreXL -> (3) Change firewall mode way of doing things not sticking on open server. No need to have the option then.

Re: can't enable USFW on openserver

shais — Wed, 30 Nov 2022 08:44:04 GMT

Hi,

I'm sorry for the above issue, it's indeed a bug, and we are already in the process of deploying the fix for it into our jumbo.
Please use the following command to change the open server to USFW

1. cpprod_util FwSetOverrideMode 2
2. Use cpconfig to change the mode to USFW