Support Center > Search Results > SecureKnowledge Details
User Space Firewall (USFW) support in R80.30 3.10 and higher Technical Level
Solution

Introduction

User Space Firewall (USFW) is the infrastructure in which Check Point Firewall instances run in user space mode.

Note - For VSX, USFW is the only Firewall mode available.

Motivation

  • Improved memory utilization on Security Gateways with a large number of CPU cores
  • Improved debugging tools and newly supported features

Security Gateways with USFW enabled by default

Hardware Platform In R80.30 3.10 In R80.40 and higher
Virtual Machine Yes Yes
Open Server Yes Yes - if there are more than 40 CPU cores
Check Point 3600 Yes Yes
Check Point 3800 Yes Yes
Check Point 6200 Yes Yes
Check Point 6400 Yes Yes
Check Point 6600 Yes Yes
Check Point 6700 Yes Yes
Check Point 6900 Yes Yes
Check Point 7000 Yes Yes
Check Point 16000T Yes Yes
Check Point 16200 Yes Yes
Check Point 16600HS Yes Yes
Check Point 23500 Yes No
Check Point 23900 Yes Yes
Check Point 26000 Yes Yes
Check Point 28000 Yes Yes
Other Check Point appliances Yes - if there are more than 40 CPU cores Yes - if there are more than 40 CPU cores

The FWD process is isolated and affined to a dedicated CPU core, when running in USFW on an appliance with at least 20 CPU cores.
In other cases (KSFW, or less than 20 CPU cores), the FWD process is affined to all CPU cores.

Certified Appliances for USFW

Appliances that can move to USFW, but do not run in USFW by default:

  • Check Point 15600
  • Check Point 15400
  • Check Point 23800
  • Check Point 5600
  • Check Point 5400
  • Check Point 5800
  • Check Point 6500
  • Open Server

Best Practices

Use the factors listed below to select the best mode for your Security Gateway - User Space (USFW) or Kernel Mode (KWFW):

Factor Testing command Preferred Firewall mode
80% or more of the traffic undergoes the Fast path / Accelerated path fwaccel stats -s Kernel
70% or more of the traffic undergoes the Firewall path / Slow path fwaccel stats -s Kernel
30% or more of the traffic undergoes the PXL / Medium path fwaccel stats -s USFW
Security Gateway is configured with more CoreXL SNDs than CoreXL Firewall instances, or when SNDs are the bottleneck fw ctl affinity -l -r Kernel
Security Gateway is configured with more than 38 CoreXL Firewall instances fw ctl affinity -l -r USFW

Note - If it is necessary to change the Firewall mode, contact Check Point Support.

Known Limitations

Known Limitations Description Affected versions Mitigation
Large Scale VPN (LSV) Large Scale VPN suffers from latency that results in disconnections of VPN clients R80.30 3.10

R80.40
For R80.40, use the latest R80.40 Jumbo Hotfix

For R80.30, or if the issue persists, contact Check Point Support

Cannot change the Firewall mode from USFW to KSFW on a Security Gateway:

  • with less than 40 CPU cores
  • with HyperThreading enabled
A crash occurs during boot after you changed the Firewall mode from USFW to KSFW and rebooted, while the HyperThreading is enabled R80.30 3.10 Disable Hyper Threading before moving to KSFW

Cannot change the Firewall mode from USFW to KSFW on a Security Gateway:

  • with more than 40 CPU cores
  • with HyperThreading disabled
A crash occurs during boot after you changed the Firewall mode from USFW to KSFW and rebooted, while the HyperThreading is disabled R80.30 3.10

R80.40
Not supported

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment