Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Wolfgang
Authority
Authority
Jump to solution

can't enable USFW on openserver

CheckMates,

we tried to enable USFW on an openserver running R81.10., with 2 cores.

cpprod_util FwSetUsermode 1
cpprod_util FwSetUsfwMachine 1

After reboot both values are back to "0"

In the logs from starting we found "Toggling usermode might have an effect on GW CoreXL split", meaning something changed the values we set before.  Founf script "/var/opt/fw.boot/fw1boot" with the following entry:

# Relevant only for Open Servers
# WA - until Open Servers will boot in Kerenl mode by default (appliance_config.xml)
# "Other" - can be Open Server or cloud, but cloud environment run only on kernel space anyway

if [ "$OPEN_SERVER_OVERRIDE" == 0 ] && [ "$MGMT" != 1 ] && [[ ( "$ISSMTOPENSERVER" == "1" && "$ALLOWED_CORES" -le "20") || ( $MANUFACTURER == "Other" && "$ALLOWED_CORES" -le "40") ]] ; then
if [ "$USERMODE" == 1 ]; then
$CPDIR/bin/cpprod_util FwSetUsermode 0
$CPDIR/bin/cpprod_util FwSetUsfwMachine 0

As a result USFW goes back to KMFW with only 2 cores....

Question => How to enable USFW on a 2 core Open Server ?

 

1 Solution

Accepted Solutions
shais
Employee
Employee

Hi,

I'm sorry for the above issue, it's indeed a bug, and we are already in the process of deploying the fix for it into our jumbo.
Please use the following command to change the open server to USFW

1. cpprod_util FwSetOverrideMode 2
2. Use cpconfig to change the mode to USFW 

 

 

View solution in original post

7 Replies
_Val_
Admin
Admin

USFW on open server is only supported with 40 and more cores, look into sk167052. Why do you need it for 2 cores only?

0 Kudos
Wolfgang
Authority
Authority

No @_Val_ , there is no statement in the sk that this is not supported. It's only not enabled by default.

I know and I really understand that USFW is a little bit useless with only 2 cores. What we want to achieve... We want to use TLS1.3 inspection, which requires USFW enabled. 

https://community.checkpoint.com/t5/Threat-Prevention/HTTPS-inspection-of-TLS1-3-and-USFW/m-p/141737...

 

0 Kudos
_Val_
Admin
Admin

Uh, yes, you are right.

Try this:

  1. cpprod_util FwSetOverrideMode 1
  2. cpprod_util FwSetUsermode 1
  3. cpprod_util FwSetUsfwMachine 1
  4. reboot
0 Kudos
Wolfgang
Authority
Authority

@_Val_ we saw this magic value "FwSetOverrideMode" and tried, looks good.

Will this be the supported way to enable USFW on open server with less then 40 cores?

0 Kudos
_Val_
Admin
Admin

For the official answer to this question, please check with TAC. I think their answer will be the same though...

0 Kudos
RamGuy239
Advisor
Advisor

@_Val_ I just tried switching a HA cluster running R81.10 Take 79 from KMFW to USFW, this is open server. I used the new recommended method of using cpconfig -> (10) Check Point CoreXL -> (3) Change firewall mode.

But upon boot, it seems to be some kind of check going on that reverts it back to KMFW automatically ($FWDIR/scripts/override_server_settings.sh?). Do you know if doing this manually via cpprod_util is expected to behave any differently? USFW is required in order to enable TLS 1.3 support for HTTPS Inspection (fwtls_enable_tlsio=1).

With the push into USFW as default on appliances, it seems rather strange to enforce KMFW on open server in such a way. Especially when features such as TLS 1.3 requires USFW. Rather strange to not have the cpconfig -> (10) Check Point CoreXL -> (3) Change firewall mode way of doing things not sticking on open server. No need to have the option then.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
0 Kudos
shais
Employee
Employee

Hi,

I'm sorry for the above issue, it's indeed a bug, and we are already in the process of deploying the fix for it into our jumbo.
Please use the following command to change the open server to USFW

1. cpprod_util FwSetOverrideMode 2
2. Use cpconfig to change the mode to USFW 

 

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events