Check Point User-Space firewall support for R80.30 3.10 and higher

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk167052
Technical Level
Product	Quantum Security Gateways
Version	R80.30, R80.40, R81, R81.10
OS	Gaia
Date Created	27-May-2020
Last Modified	13-Sep-2021

Solution

Introduction

User-space Firewall (USFW) is the infrastructure that allows Check Point Firewall instances to run in user-space mode.

Note: For VSX USFW is the only mode available.

Motivation

Improved Memory utilization on Security Gateways with high number of cores
Allows utilizing improved debugging tools and new supported features

Appliances with USFW enable by default

Appliance	R80.30 3.10	R80.40 and higher
VM	Yes	Yes
Open server	Yes	Above 40 cores
Check Point 3600	Yes	Yes
Check Point 3800	Yes	Yes
Check Point 6200	Yes	Yes
Check Point 6400	Yes	Yes
Check Point 6600	Yes	Yes
Check Point 6700	Yes	Yes
Check Point 6900	Yes	Yes
Check Point 7000	Yes	Yes
Check Point 16000T	Yes	Yes
Check Point 16200	Yes	Yes
Check Point 16600HS	Yes	Yes
Check Point 23500	Yes	No
Check Point 23900	Yes	Yes
Check Point 26000	Yes	Yes
Check Point 28000	Yes	Yes
Other Check Point appliances	Above 40 cores	Above 40 cores

When running in USFW on at least 20 cores Appliance, the FWD process is isolated and affined to a dedicated CPU.
Otherwise, the FWD process will be affined to all CPUs, same as in KMFW.

Certified USFW Appliances

Appliances that can move to USFW but do not run in USFW by default:

Check Point 15600
Check Point 15400
Check Point 23800
Check Point 5600
Check Point 5400
Check Point 5800
Check Point 6500
Open server

Best Practices

Use the below factors to decide on the best mode for your Security Gateway User-Space or Kernel Mode

Factor	Testing command	Preferred mode
Setup with above 80% fast path	`fwaccel stats -s`	Kernel
Setup that is configured with more CoreXL SNDs than Firewall instances, or when SNDs are the bottle neck	`fw ctl affinity -l -r`	Kernel
Setup with above 70% Firewall path / Slow path	`fwaccel stats -s`	Kernel
Setup with above 30% PXL / Medium path	`fwaccel stats -s`	USFW
Running with more than 38 Firewall instances	`fw ctl affinity -l -r`	USFW

Known Limitations

Known Limitations	Description	Affected versions	Mitigation
Large scale VPN	Large scale VPN suffers from latency that results in client disconnections	R80.30 3.10 / R80.40	For R80.40, use the latest R80.40 Jumbo Hotfix. For R80.30 or if issue persists, contact Check Point Support
Unable to switch to kernel mode with Hyper Threading below 40 cores	Switching back to kernel mode with Hyper Threading results in crash on boot	R80.30 3.10	Disable Hyper Threading before moving to kernel mode
Unable to switch to kernel mode with above 40 cores without Hyper Threading	Switching back to kernel mode with 40 cores even after disabling Hyper Threading results in crash on boot	R80.30 3.10 / R80.40	Not supported

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating