https://community.checkpoint.com/t5/Firewall-and-Security-Management/RFC-R81-and-USFW/m-p/103131#M8131 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/18680">@HristoGrigorov</a>&nbsp;</P> <P>In “Kernel Mode Firewall” KMFW, the maximum number of running cores is limited to 40 because of the Linux/Intel limitation of 2GB kernel memory,and because CoreXL architecture needs to load a large driver (~42MB) dozens of times (according to the CPU number, and up to 40 times). Newer platforms that contain more than 40 cores e.g., 23900 or open server are not fully utilized. The solution of the problem is a firewall in the user mode of the Linux operating system. USFW “User Space Firewall” or UMFW stands for “User Mode Firewall”, and it is based on proven VSX code. This mode was introduced in R80.10. According to SK the UMFW is enabled from R80.30 by default and is customized via the installation process.&nbsp;</P> Tue, 24 Nov 2020 12:29:02 GMT HeikoAnkenbrand 2020-11-24T12:29:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/RFC-R81-and-USFW/m-p/103040#M8115 <P>I have request for comment on following kernel change and how does it affect USFW in R81:</P> <P><STRONG>Added support for zeco (zero-copy) packets for&nbsp;<SPAN class="mc-variable Other_Vars.tp_cp variable">Check Point</SPAN>&nbsp;USFW (<SPAN class="mc-variable Other_Vars.tp_fwcap variable">Firewall</SPAN>&nbsp;in usermode).</STRONG></P> <P>&nbsp;</P> Mon, 23 Nov 2020 19:26:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/RFC-R81-and-USFW/m-p/103040#M8115 HristoGrigorov 2020-11-23T19:26:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/RFC-R81-and-USFW/m-p/103075#M8122 <P>Remember that USFW is basically modern VSX with a single gateway.<BR />There are old customer releases that enable this in R77.30 VSX.<BR />USFW is basically going to be the default in a future version.<BR />I would therefore assume it should be supported with USFW unless explicitly noted otherwise.</P> Tue, 24 Nov 2020 03:20:01 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/RFC-R81-and-USFW/m-p/103075#M8122 PhoneBoy 2020-11-24T03:20:01Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/RFC-R81-and-USFW/m-p/103076#M8123 <P>I asked more like from technical point of view. Is it something developed by open source community and imported into your own kernel branch or was it entirely developed in house to enhance performance for USFW apps.&nbsp;</P> <P>I think USFW is not just a modern VSX anymore because in R81, TLS1.3 support works only in user space which is another interesting topic to discuss&nbsp;<span class="lia-unicode-emoji" title=":grinning_face:">😀</span></P> Tue, 24 Nov 2020 04:28:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/RFC-R81-and-USFW/m-p/103076#M8123 HristoGrigorov 2020-11-24T04:28:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/RFC-R81-and-USFW/m-p/103131#M8131 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/18680">@HristoGrigorov</a>&nbsp;</P> <P>In “Kernel Mode Firewall” KMFW, the maximum number of running cores is limited to 40 because of the Linux/Intel limitation of 2GB kernel memory,and because CoreXL architecture needs to load a large driver (~42MB) dozens of times (according to the CPU number, and up to 40 times). Newer platforms that contain more than 40 cores e.g., 23900 or open server are not fully utilized. The solution of the problem is a firewall in the user mode of the Linux operating system. USFW “User Space Firewall” or UMFW stands for “User Mode Firewall”, and it is based on proven VSX code. This mode was introduced in R80.10. According to SK the UMFW is enabled from R80.30 by default and is customized via the installation process.&nbsp;</P> Tue, 24 Nov 2020 12:29:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/RFC-R81-and-USFW/m-p/103131#M8131 HeikoAnkenbrand 2020-11-24T12:29:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/RFC-R81-and-USFW/m-p/103176#M8138 <P>Curious why this is a relevant detail (whether we are using an existing Open Source implementation or wrote our own).</P> <P>I'm assuming TLS1.3 related operations can only be done in userspace, which is what USFW is required for TLS1.3 inspection.<BR />Like I said: USFW is going to be the default in future versions.</P> Tue, 24 Nov 2020 18:43:09 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/RFC-R81-and-USFW/m-p/103176#M8138 PhoneBoy 2020-11-24T18:43:09Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/RFC-R81-and-USFW/m-p/103182#M8139 <P>Because we expect you to contribute it to open source community as many other vendors do (eg. Microsoft, IBM, etc) ?</P> Tue, 24 Nov 2020 19:19:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/RFC-R81-and-USFW/m-p/103182#M8139 HristoGrigorov 2020-11-24T19:19:13Z