Introduction
User Space Firewall (USFW) is the infrastructure in which Check Point Firewall instances run in user space mode.
Note - In VSX Gateways, USFW is the only Firewall mode available.
Motivation
- Improved memory utilization on Security Gateways with many CPU cores.
- Improved debugging tools and newly supported features.
Security Gateways with USFW enabled by default
Notes:
- Check Point appliance models that do not appear in the table above, support USFW, but it is disabled by default (CoreXL Firewall instances run in the Kernel Space).
- Starting in R81.20, CloudGuard Network Security Gateways have USFW enabled by default.
- The FWD process is isolated and affined to a dedicated CPU core, when running in USFW on an appliance with at least 20 CPU cores.
In other cases (KSFW, or less than 20 CPU cores), the FWD process is affined to all CPU cores.
Best Practices
Use the factors listed below to select the best CoreXL Firewall mode for your Security Gateway - User Space (USFW) or Kernel Space (KSFW):
Changing the CoreXL Firewall Mode
-
To change the Firewall mode in versions R81.10 and higher:
-
To change the Firewall mode in versions R81, R80.40, and R80.30, contact Check Point Support.
Known Limitations