Support Center > Search Results > SecureKnowledge Details
Check Point User-Space firewall support for R80.30 3.10 and higher Technical Level
Solution

Introduction 

User-space Firewall (USFW) is the infrastructure that allows Check Point Firewall instances to run in user-space mode.
 

Motivation

  • Improved Memory utilization on Security Gateways with high number of cores
  • Allows utilizing improved debugging tools and new supported features 


Appliances with USFW enable by default  

Appliance R80.30 3.10 R80.40 and higher
VM Yes Yes
Open server Yes Above 40 cores
Check Point 3600 Yes Yes
Check Point 3800 Yes Yes
Check Point 6200 Yes Yes
Check Point 6400 Yes Yes
Check Point 6600 Yes Yes
Check Point 6700 Yes Yes
Check Point 6900 Yes Yes
Check Point 7000 Yes Yes
Check Point 16000T Yes Yes
Check Point 16200 Yes Yes
Check Point 16600HS Yes Yes
Check Point 23500 Yes No
Check Point 23900 Yes Yes
Check Point 26000 Yes Yes
Check Point 28000 Yes Yes
Other Check Point appliances  Above 40 cores Above 40 cores

When running in USFW on at least 20 cores Appliance, the FWD process is isolated and affined to a dedicated CPU.
Otherwise, the FWD process will be affined to all CPUs, same as in KMFW. 

Certified USFW Appliances

Appliances that can move to USFW but do not run in USFW by default:

  • Check Point 15600
  • Check Point 15400
  • Check Point 5600
  • Check Point 5400
  • Check Point 5800
  • Check Point 6500
  • Open server

Best Practices

Use the below factors to decide on the best mode for your Security Gateway User-Space or Kernel Mode

Factor Testing command Preferred mode
Setup with above 80% fast path fwaccel stats -s Kernel
Setup that is configured with more CoreXL SNDs than Firewall instances, or when SNDs are the bottle neck fw ctl affinity -l -r Kernel
Setup with above 70% Firewall path / Slow path fwaccel stats -s Kernel
Setup with above 30% PXL / Medium path  fwaccel stats -s USFW
Running with more than 38 Firewall instances fw ctl affinity -l -r USFW


Known Limitations

Known Limitations Description Affected versions Mitigation
Large scale VPN  Large scale VPN suffers from latency that results in client disconnections  R80.30 3.10 / R80.40  For R80.40, use the latest  R80.40 Jumbo Hotfix. For R80.30 or if issue persists, contact Check Point Support
Unable to switch to kernel mode with Hyper Threading below 40 cores Switching back to kernel mode with Hyper Threading results in crash on boot  R80.30 3.10 Disable Hyper Threading before moving to kernel mode
Unable to switch to kernel mode with above 40 cores without Hyper Threading  Switching back to kernel mode with 40 cores even after disabling Hyper Threading results in crash on boot R80.30 3.10 / R80.40  Not supported 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment