User Space Firewall (USFW) support in R80.30 3.10 and higher

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk167052
Technical Level
Product	Quantum Security Gateways
Version	R80.30, R80.40, R81, R81.10
OS	Gaia
Date Created	27-May-2020
Last Modified	15-Jun-2022

Solution

Introduction

User Space Firewall (USFW) is the infrastructure in which Check Point Firewall instances run in user space mode.

Note - For VSX, USFW is the only Firewall mode available.

Motivation

Improved memory utilization on Security Gateways with a large number of CPU cores
Improved debugging tools and newly supported features

Security Gateways with USFW enabled by default

Hardware Platform In R80.30 3.10 In R80.40 and higher

Virtual Machine Yes Yes

Open Server Yes Yes - if there are more than 40 CPU cores

Check Point 3600 Yes Yes

Check Point 3800 Yes Yes

Check Point 6200 Yes Yes

Check Point 6400 Yes Yes

Check Point 6600 Yes Yes

Check Point 6700 Yes Yes

Check Point 6900 Yes Yes

Check Point 7000 Yes Yes

Check Point 16000T Yes Yes

Check Point 16200 Yes Yes

Check Point 16600HS Yes Yes

Check Point 23500 Yes No

Check Point 23900 Yes Yes

Check Point 26000 Yes Yes

Check Point 28000 Yes Yes

Other Check Point appliances Yes - if there are more than 40 CPU cores Yes - if there are more than 40 CPU cores

The FWD process is isolated and affined to a dedicated CPU core, when running in USFW on an appliance with at least 20 CPU cores.
In other cases (KSFW, or less than 20 CPU cores), the FWD process is affined to all CPU cores.

Certified Appliances for USFW

Appliances that can move to USFW, but do not run in USFW by default:

Check Point 15600

Check Point 15400

Check Point 23800

Check Point 5900

Check Point 5600

Check Point 5400

Check Point 5800

Check Point 6500

Open Server

Best Practices

Use the factors listed below to select the best mode for your Security Gateway - User Space (USFW) or Kernel Mode (KSFW):

Factor Testing command Preferred Firewall mode

80% or more of the traffic undergoes the Fast path / Accelerated path fwaccel stats -s Kernel

70% or more of the traffic undergoes the Firewall path / Slow path fwaccel stats -s Kernel

30% or more of the traffic undergoes the PXL / Medium path fwaccel stats -s USFW

Security Gateway is configured with more CoreXL SNDs than CoreXL Firewall instances, or when SNDs are the bottleneck fw ctl affinity -l -r Kernel

Security Gateway is configured with more than 38 CoreXL Firewall instances fw ctl affinity -l -r USFW

Changing the CoreXL Firewall Mode:

To change the Firewall mode in versions R81.10 and higher:

Connect to the command line on the Security Gateway / each Cluster Member.

Run: cpconfig

Enter the number of the Check Point CoreXL option.

Enter 3 to select Change firewall mode.

Follow the instructions on the screen.

Exit from the cpconfig menu.

Reboot.

To change the Firewall mode in versions R81, R80.40, and R80.30, contact Check Point Support.

Known Limitations

Known Limitations Description Affected versions Mitigation

Large Scale VPN (LSV) Large Scale VPN suffers from latency that results in disconnections of VPN clients R80.30 3.10

R80.40 For R80.40, use the latest R80.40 Jumbo Hotfix

For R80.30, or if the issue persists, contact Check Point Support

Cannot change the Firewall mode from USFW to KSFW on a Security Gateway:

with less than 40 CPU cores

with HyperThreading enabled

A crash occurs during boot after you changed the Firewall mode from USFW to KSFW and rebooted, while the HyperThreading is enabled R80.30 3.10 Disable Hyper Threading before moving to KSFW

Cannot change the Firewall mode from USFW to KSFW on a Security Gateway:

with more than 40 CPU cores

with HyperThreading disabled

A crash occurs during boot after you changed the Firewall mode from USFW to KSFW and rebooted, while the HyperThreading is disabled R80.30 3.10

R80.40 Not supported

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating