Introduction

User Space Firewall (USFW) is the infrastructure in which Check Point Firewall instances run in user space mode.

Note - In VSX Gateways, USFW is the only Firewall mode available.

Motivation

• Improved memory utilization on Security Gateways with many CPU cores.
• Improved debugging tools and newly supported features.

Security Gateways with USFW enabled by default

Hardware Platform	In R80.30 3.10	In R80.40 and higher
Check Point 28000
Check Point 26000
Check Point 23900
Check Point 23500
Check Point 16600HS
Check Point 16200
Check Point 16000T
Check Point 7000
Check Point 6900
Check Point 6700
Check Point 6600
Check Point 6400
Check Point 6200
Check Point 3800
Check Point 3600
Other Check Point appliances	If there are more than 40 CPU cores	If there are more than 40 CPU cores
Open Server		Yes - if there are more than 40 CPU cores
Virtual Machine

Notes:

• Check Point appliance models that do not appear in the table above, support USFW, but it is disabled by default (CoreXL Firewall instances run in the Kernel Space).
• Starting in R81.20, CloudGuard Network Security Gateways have USFW enabled by default.
• The FWD process is isolated and affined to a dedicated CPU core, when running in USFW on an appliance with at least 20 CPU cores.
  In other cases (KSFW, or less than 20 CPU cores), the FWD process is affined to all CPU cores.

Best Practices

Use the factors listed below to select the best CoreXL Firewall mode for your Security Gateway - User Space (USFW) or Kernel Space (KSFW):

Factor	Testing command	Recommended Firewall mode
80% or more of the traffic undergoes the Fast path / Accelerated path	fwaccel stats -s	KSFW
70% or more of the traffic undergoes the Firewall path / Slow path	fwaccel stats -s	KSFW
30% or more of the traffic undergoes the PXL / Medium path	fwaccel stats -s	USFW
Security Gateway is configured with more CoreXL SNDs than CoreXL Firewall instances, or when CoreXL SNDs are the bottleneck	fw ctl affinity -l -r	KSFW
Security Gateway is configured with more than 38 CoreXL Firewall instances	fw ctl affinity -l -r	USFW

Changing the CoreXL Firewall Mode

• To change the Firewall mode in versions R81.10 and higher:

  Procedure	Instructions
  Recommended	Connect to the command line on the Security Gateway / each Cluster Member. Run: cpconfig Enter the number of the Check Point CoreXL option. Enter 3 to select Change firewall mode. Follow the instructions on the screen. Exit from the cpconfig menu. Reboot. In a cluster, this can cause a failover.
  Optional	Connect to the command line on the Security Gateway / each Cluster Member. Log in to the Expert mode. See the available CLI options: fwmode -h Run the applicable command: fwmode <option> Reboot. In a cluster, this can cause a failover.

• To change the Firewall mode in versions R81, R80.40, and R80.30, contact Check Point Support.

Known Limitations

Known Limitations	Description	Affected versions	Mitigation
Large Scale VPN (LSV)	Large Scale VPN suffers from latency that results in disconnections of VPN clients	R80.40, R80.30 3.10	For R80.40, use the latest R80.40 Jumbo Hotfix For R80.30, or if the issue persists, contact Check Point Support
Cannot change the Firewall mode from USFW to KSFW on a Security Gateways: With fewer than 40 CPU cores With HyperThreading enabled	A crash occurs during boot after you changed the Firewall mode from USFW to KSFW and rebooted, while the HyperThreading is enabled	R80.30 3.10	Disable Hyper Threading before changing the mode from USFW to KSFW
Cannot change the Firewall mode from USFW to KSFW on  Security Gateways: With more than 40 CPU cores With HyperThreading disabled	A crash occurs during boot after you changed the Firewall mode from USFW to KSFW and rebooted, while the HyperThreading is disabled	R80.40, R80.30 3.10	Not supported
CloudGuard Network Security Gateways do not support USFW in versions R81.10 and lower.	N/A	R81.10, R81, R80.40, R80.30	Not supported