Support Center > Search Results > SecureKnowledge Details
User Space Firewall (USFW) support in R80.30 3.10 and higher Technical Level
Solution

Introduction

User Space Firewall (USFW) is the infrastructure in which Check Point Firewall instances run in user space mode.

Note - In VSX Gateways, USFW is the only Firewall mode available.

Motivation

  • Improved memory utilization on Security Gateways with many CPU cores.
  • Improved debugging tools and newly supported features.

Security Gateways with USFW enabled by default

Hardware Platform In R80.30 3.10 In R80.40 and higher
Check Point 28000
Check Point 26000
Check Point 23900
Check Point 23500
Check Point 16600HS
Check Point 16200
Check Point 16000T
Check Point 7000
Check Point 6900
Check Point 6700
Check Point 6600
Check Point 6400
Check Point 6200
Check Point 3800
Check Point 3600
Other Check Point appliances
If there are more than 40 CPU cores

If there are more than 40 CPU cores
Open Server Yes - if there are more than 40 CPU cores
Virtual Machine

Notes:

  • Check Point appliance models that do not appear in the table above, support USFW, but it is disabled by default (CoreXL Firewall instances run in the Kernel Space).
  • Starting in R81.20, CloudGuard Network Security Gateways have USFW enabled by default.
  • The FWD process is isolated and affined to a dedicated CPU core, when running in USFW on an appliance with at least 20 CPU cores.
    In other cases (KSFW, or less than 20 CPU cores), the FWD process is affined to all CPU cores.

Best Practices

Use the factors listed below to select the best CoreXL Firewall mode for your Security Gateway - User Space (USFW) or Kernel Space (KSFW):

Factor Testing command Recommended
Firewall
mode
80% or more of the traffic undergoes the Fast path / Accelerated path fwaccel stats -s KSFW
70% or more of the traffic undergoes the Firewall path / Slow path fwaccel stats -s KSFW
30% or more of the traffic undergoes the PXL / Medium path fwaccel stats -s USFW
Security Gateway is configured with more CoreXL SNDs than CoreXL Firewall instances, or when CoreXL SNDs are the bottleneck fw ctl affinity -l -r KSFW
Security Gateway is configured with more than 38 CoreXL Firewall instances fw ctl affinity -l -r USFW

Changing the CoreXL Firewall Mode

  • To change the Firewall mode in versions R81.10 and higher:

    Procedure Instructions
    Recommended
    1. Connect to the command line on the Security Gateway / each Cluster Member.
    2. Run:
      cpconfig
    3. Enter the number of the Check Point CoreXL option.
    4. Enter 3 to select Change firewall mode.
    5. Follow the instructions on the screen.
    6. Exit from the cpconfig menu.
    7. Reboot.
      In a cluster, this can cause a failover.
    Optional
    1. Connect to the command line on the Security Gateway / each Cluster Member.
    2. Log in to the Expert mode.
    3. See the available CLI options:
      fwmode -h
    4. Run the applicable command:
      fwmode <option>
    5. Reboot.
      In a cluster, this can cause a failover.
  • To change the Firewall mode in versions R81, R80.40, and R80.30, contact Check Point Support.

Known Limitations

Known Limitations Description Affected versions Mitigation
Large Scale VPN (LSV) Large Scale VPN suffers from latency that results in disconnections of VPN clients R80.40,
R80.30 3.10
For R80.40, use the latest R80.40 Jumbo Hotfix

For R80.30, or if the issue persists, contact Check Point Support

Cannot change the Firewall mode from USFW to KSFW on a Security Gateways:

  • With fewer than 40 CPU cores
  • With HyperThreading enabled
A crash occurs during boot after you changed the Firewall mode from USFW to KSFW and rebooted, while the HyperThreading is enabled R80.30 3.10 Disable Hyper Threading before changing the mode from USFW to KSFW

Cannot change the Firewall mode from USFW to KSFW on  Security Gateways:

  • With more than 40 CPU cores
  • With HyperThreading disabled
A crash occurs during boot after you changed the Firewall mode from USFW to KSFW and rebooted, while the HyperThreading is disabled R80.40,
R80.30 3.10
Not supported

CloudGuard Network Security Gateways do not support USFW in versions R81.10 and lower.

N/A R81.10,
R81,
R80.40,
R80.30
Not supported

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment