Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Wolfgang
Mentor
Mentor

can't enable USFW on openserver

CheckMates,

we tried to enable USFW on an openserver running R81.10., with 2 cores.

cpprod_util FwSetUsermode 1
cpprod_util FwSetUsfwMachine 1

After reboot both values are back to "0"

In the logs from starting we found "Toggling usermode might have an effect on GW CoreXL split", meaning something changed the values we set before.  Founf script "/var/opt/fw.boot/fw1boot" with the following entry:

# Relevant only for Open Servers
# WA - until Open Servers will boot in Kerenl mode by default (appliance_config.xml)
# "Other" - can be Open Server or cloud, but cloud environment run only on kernel space anyway

if [ "$OPEN_SERVER_OVERRIDE" == 0 ] && [ "$MGMT" != 1 ] && [[ ( "$ISSMTOPENSERVER" == "1" && "$ALLOWED_CORES" -le "20") || ( $MANUFACTURER == "Other" && "$ALLOWED_CORES" -le "40") ]] ; then
if [ "$USERMODE" == 1 ]; then
$CPDIR/bin/cpprod_util FwSetUsermode 0
$CPDIR/bin/cpprod_util FwSetUsfwMachine 0

As a result USFW goes back to KMFW with only 2 cores....

Question => How to enable USFW on a 2 core Open Server ?

 

0 Kudos
5 Replies
_Val_
Admin
Admin

USFW on open server is only supported with 40 and more cores, look into sk167052. Why do you need it for 2 cores only?

0 Kudos
Wolfgang
Mentor
Mentor

No @_Val_ , there is no statement in the sk that this is not supported. It's only not enabled by default.

I know and I really understand that USFW is a little bit useless with only 2 cores. What we want to achieve... We want to use TLS1.3 inspection, which requires USFW enabled. 

https://community.checkpoint.com/t5/Threat-Prevention/HTTPS-inspection-of-TLS1-3-and-USFW/m-p/141737...

 

0 Kudos
_Val_
Admin
Admin

Uh, yes, you are right.

Try this:

  1. cpprod_util FwSetOverrideMode 1
  2. cpprod_util FwSetUsermode 1
  3. cpprod_util FwSetUsfwMachine 1
  4. reboot
0 Kudos
Wolfgang
Mentor
Mentor

@_Val_ we saw this magic value "FwSetOverrideMode" and tried, looks good.

Will this be the supported way to enable USFW on open server with less then 40 cores?

0 Kudos
_Val_
Admin
Admin

For the official answer to this question, please check with TAC. I think their answer will be the same though...

0 Kudos