can you tell me how to verify if usfw is enabled?

cpprod_util FwIsUsermode 
cpprod_util FwIsUsfwMachine 

Both commands should return 1.
What precise appliance are you doing this on?

I run a R81 Security Gateway with Mgmt-Gateway on same VM

Product version Check Point Gaia R81
OS build 392
OS kernel version 3.10.0-957.21.3cpx86_64
OS edition 64-bit

[Expert@gw-a7234c:0]# cpprod_util FwIsUsermode
0
[Expert@gw-a7234c:0]# cpprod_util FwIsUsfwMachine
0

What are the precise specifications (RAM, cores) on the VM?
Note that HTTPS Inspection for TLS 1.3 traffic requires three things:

• Being on R81 or above, which you are.
• Enabling TLSIO, which you clearly did here.
• Enabling User Space Firewall, which is only enabled by default for specific appliances.

The two commands indicate USFW is not enabled.
To enable them, issue the following two commands and reboot:

cpprod_util FwIsUsermode 1
cpprod_util FwIsUsfwMachine  1

Once you've done this, HTTPS Inspection of TLS 1.3 should work.

doesn't work for some reason:

[Expert@gw-a7234c:0]# cpprod_util FwIsUsermode 1
Unknown/Unsupported command 1
0 [Expert@gw-a7234c:0]# cpprod_util FwIsUsfwMachine 1
Unknown/Unsupported command 1
 

Should be: 

FwSetUsermode, FwSetUsfwMachine 

Thanks _Val_, this worked:

[Expert@gw-a7234c:0]# cpprod_util FwIsUsermode
1
[Expert@gw-a7234c:0]# cpprod_util FwIsUsfwMachine
1

Thank you both _Val_ and PhoneBoy

Iko

unfortunately, I had to remove the "accept as solution" because the TLS1.3 inspection still has some problem.

In the log I can see that the inspection works, but the client browser shows a "Secure Connection failed" message now.

Is there anything else I am missing?

Root certificate installed as trusted probably? 🙂

I analyzed the traces, it looks like the firewall is striping off the supported_versions extension in the outgoing ClientHello now.

my bad, i didnt reboot.

now HTTPS requests workd again on client, but traffic is bypassed from interception again. but only TLS1.3 traffic

What's the log card say on the bypassed log?

One request on the client always brings up 3 log entrys:

is this the log card?

Just for clarification: The accessed webserver is TLS1.3 only.

First log entry gets accepted. I think this is the first ClientHello sent without supported_versions extension, which makes it an TLS1.2 request. This is not what the webserver expects, so he replies with some version_alert. So the Firewall sends the ClientHello again, this time with supported_versions extension included (TLS1.3) -> This is what log entries 2 & 3 are about.

I just wonder why the bypass entry comes second!? Wouldn't it make more sense if the decision to intercept or not, is made already before the first request is sent. or is the order not really accurate, since this all happens in very short time?

just my thoughts ...

The order may not entirely be accurate here, but the Internal System Error would explain why it is bypassing.
You’ll need to use this SK to debug what’s happening: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

I have tried these commands multiple times and after a reboot, the values are back to 0

cpprod_util FwSetUsermode 1
cpprod_util FwSetUsfwMachine 1

Also, I tried enabling TLSIO by adding fwtls_enable_tlsio=1 to $FWDIR/boot/modules/fwkern.conf; fw ctl get int fwtls_enable_tlsio shows it is 0 after reboot, If I try to set on the fly with fw ctl set int fwtls_enable_tlsio 1, I get the error "Set operation failed: failed to get parameter fwtls_enable_tlsio". 

Hi @Alex_Lewis ,

Can you share on which version and platform you are trying to convert to USFW?

Thanks,

Ilya 

2 gateway HA cluster running R81 Take 36 on Open Platform

in general if it's open platform so it should be USFW by default.

can you share which type to you have? how many CPU's it has?

Dell PowerEdge R430, 16 cpus, 32GB ram

Hi @Alex_Lewis ,

according to our hcl this type is not supported

https://www.checkpoint.com/support-services/hcl/

Thanks,

Ilya