Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HristoGrigorov

RFC: R81 and USFW

I have request for comment on following kernel change and how does it affect USFW in R81:

Added support for zeco (zero-copy) packets for Check Point USFW (Firewall in usermode).

 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

Remember that USFW is basically modern VSX with a single gateway.
There are old customer releases that enable this in R77.30 VSX.
USFW is basically going to be the default in a future version.
I would therefore assume it should be supported with USFW unless explicitly noted otherwise.

0 Kudos
HristoGrigorov

I asked more like from technical point of view. Is it something developed by open source community and imported into your own kernel branch or was it entirely developed in house to enhance performance for USFW apps. 

I think USFW is not just a modern VSX anymore because in R81, TLS1.3 support works only in user space which is another interesting topic to discuss 😀

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Hi @HristoGrigorov 

In “Kernel Mode Firewall” KMFW, the maximum number of running cores is limited to 40 because of the Linux/Intel limitation of 2GB kernel memory,and because CoreXL architecture needs to load a large driver (~42MB) dozens of times (according to the CPU number, and up to 40 times). Newer platforms that contain more than 40 cores e.g., 23900 or open server are not fully utilized. The solution of the problem is a firewall in the user mode of the Linux operating system. USFW “User Space Firewall” or UMFW stands for “User Mode Firewall”, and it is based on proven VSX code. This mode was introduced in R80.10. According to SK the UMFW is enabled from R80.30 by default and is customized via the installation process. 

➜ CCSM Elite, CCME, CCTE
PhoneBoy
Admin
Admin

Curious why this is a relevant detail (whether we are using an existing Open Source implementation or wrote our own).

I'm assuming TLS1.3 related operations can only be done in userspace, which is what USFW is required for TLS1.3 inspection.
Like I said: USFW is going to be the default in future versions.

0 Kudos
HristoGrigorov

Because we expect you to contribute it to open source community as many other vendors do (eg. Microsoft, IBM, etc) ?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events