This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Wolfgang
MVP Gold
MVP Gold
‎2022-04-05 04:39 AM
Jump to solution

can't enable USFW on openserver

CheckMates,

we tried to enable USFW on an openserver running R81.10., with 2 cores.

cpprod_util FwSetUsermode 1
cpprod_util FwSetUsfwMachine 1

After reboot both values are back to "0"

In the logs from starting we found "Toggling usermode might have an effect on GW CoreXL split", meaning something changed the values we set before.  Founf script "/var/opt/fw.boot/fw1boot" with the following entry:

# Relevant only for Open Servers
# WA - until Open Servers will boot in Kerenl mode by default (appliance_config.xml)
# "Other" - can be Open Server or cloud, but cloud environment run only on kernel space anyway

if [ "$OPEN_SERVER_OVERRIDE" == 0 ] && [ "$MGMT" != 1 ] && [[ ( "$ISSMTOPENSERVER" == "1" && "$ALLOWED_CORES" -le "20") || ( $MANUFACTURER == "Other" && "$ALLOWED_CORES" -le "40") ]] ; then
if [ "$USERMODE" == 1 ]; then
$CPDIR/bin/cpprod_util FwSetUsermode 0
$CPDIR/bin/cpprod_util FwSetUsfwMachine 0

As a result USFW goes back to KMFW with only 2 cores....

Question => How to enable USFW on a 2 core Open Server ?

 

1 Solution

Accepted Solutions
shais
Employee
Employee
‎2022-11-30 12:44 AM
In response to RamGuy239
Jump to solution

Hi,

I'm sorry for the above issue, it's indeed a bug, and we are already in the process of deploying the fix for it into our jumbo.
Please use the following command to change the open server to USFW

1. cpprod_util FwSetOverrideMode 2
2. Use cpconfig to change the mode to USFW 

 

 

View solution in original post

7 Replies
_Val_
Admin
Admin
‎2022-04-05 05:06 AM
Jump to solution

USFW on open server is only supported with 40 and more cores, look into sk167052. Why do you need it for 2 cores only?

0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2022-04-05 05:16 AM
In response to _Val_
Jump to solution

No @_Val_ , there is no statement in the sk that this is not supported. It's only not enabled by default.

I know and I really understand that USFW is a little bit useless with only 2 cores. What we want to achieve... We want to use TLS1.3 inspection, which requires USFW enabled. 

https://community.checkpoint.com/t5/Threat-Prevention/HTTPS-inspection-of-TLS1-3-and-USFW/m-p/141737...

 

0 Kudos
_Val_
Admin
Admin
‎2022-04-05 05:23 AM
In response to Wolfgang
Jump to solution

Uh, yes, you are right.

Try this:

  1. cpprod_util FwSetOverrideMode 1
  2. cpprod_util FwSetUsermode 1
  3. cpprod_util FwSetUsfwMachine 1
  4. reboot
0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2022-04-05 05:31 AM
In response to _Val_
Jump to solution

@_Val_ we saw this magic value "FwSetOverrideMode" and tried, looks good.

Will this be the supported way to enable USFW on open server with less then 40 cores?

0 Kudos
_Val_
Admin
Admin
‎2022-04-05 05:58 AM
In response to Wolfgang
Jump to solution

For the official answer to this question, please check with TAC. I think their answer will be the same though...

0 Kudos
RamGuy239
MVP Silver
MVP Silver
‎2022-11-30 12:31 AM
In response to _Val_
Jump to solution

@_Val_ I just tried switching a HA cluster running R81.10 Take 79 from KMFW to USFW, this is open server. I used the new recommended method of using cpconfig -> (10) Check Point CoreXL -> (3) Change firewall mode.

But upon boot, it seems to be some kind of check going on that reverts it back to KMFW automatically ($FWDIR/scripts/override_server_settings.sh?). Do you know if doing this manually via cpprod_util is expected to behave any differently? USFW is required in order to enable TLS 1.3 support for HTTPS Inspection (fwtls_enable_tlsio=1).

With the push into USFW as default on appliances, it seems rather strange to enforce KMFW on open server in such a way. Especially when features such as TLS 1.3 requires USFW. Rather strange to not have the cpconfig -> (10) Check Point CoreXL -> (3) Change firewall mode way of doing things not sticking on open server. No need to have the option then.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
0 Kudos
shais
Employee
Employee
‎2022-11-30 12:44 AM
In response to RamGuy239
Jump to solution

Hi,

I'm sorry for the above issue, it's indeed a bug, and we are already in the process of deploying the fix for it into our jumbo.
Please use the following command to change the open server to USFW

1. cpprod_util FwSetOverrideMode 2
2. Use cpconfig to change the mode to USFW 

 

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events