@_Val_ @PhoneBoy @Moti @Dorit_Dor
We have many customers who use systems with more than 40 cores. If we generate 300-500% for the mentioned process here at firewalls, we only have 35 cores left. If that's not a problem, I'll give this information to all our customers and write "end of stroy":-)
Very nice solution >>> End of story <<<
Thanks
---
- Customer installed a firewall on a open server with more than 40 cores. This makes the UMFW active during the installation.
- Now he installed the license with 8 cores and use only 8 cores.
- The problem now is, he has a firewall in UMFW (USFM) mode with 8 cores.
- In this situation the process utilization of the process fwk0_dev_0 is 300-500%.
This is a beautiful bug in the installation script for me:-)
When I looked at the customer firewall, I wondered why there is a process with 300-500% CPU usage. Thereupon I have here in the forum asked, what the problem can be? Now @Timothy_Hall answered (thanks to Timothy) and I noticed that the firewall works in User Mode Firewall.Upssssssss!!!
So we had a shredded system, which according to your statement (@_Val_) has no support or is not supported! (Commented and stroke out by VAL: Sorry Heiko, I did not say that)
(Inserted after @_Val_ changes in my text: I actually want to solve the technical problem and not discuss formulations in the forum. To make it clear from my point of view, I was referring to the formulation of VAL: >>>"@HeikoAnkenbrand I do not quite understand what kind of response you expect. UMFW is not supposed to run with less than 40 cores. End of story."<<< Sorry, I accidentally read "not supposed" as "not supported." in VAL's comment. So I've caused some confusion here.)
Unfortunately I did not find this statement in the readme, in the documentation or in a sk of R80.30. Hmmmm!!!
Since I didn't get any information from Check Point here in the forum, the customer now has set the firewall to the correct "Kernel Mode FW" in a maintenance window with the following steps:
1) Run the following clish commands:
# cpprod_util FwSetUsFwmachine 0
# cpprod_util FwSetUsermode 0
2) Edit the boot.conf file (vi $FWDIR/boot/boot.conf) with the following:
KERN_INSTANCE_NUM 40
3) Reboot.
We have composed these commands on the inverted parameters from sk149973.
But the exciting question is still this |
1) Why is the firewall not changed to a Kernel Mode Firewall when a 8 core license is installed. This must be intercepted by the installation script. At least there should be a warning here.
2) Is it possible to use the firewall as UMFW in this situation or is it better to switch the mode to KMFW?
3) If the firewall now works in the wrong mode UMFM "according to your statement unsupported". What should we do at our customers?
4) If we keep running it in the wrong mode! Is that a problem with the prosess fwk0_dev_0.
PS:
- My mistake I should have opened a TAC ticket immediately.
➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips