topic Re: R80.10 User-Mode Firewall and performance impact in General Topics

R80.10 User-Mode Firewall and performance impact

HeikoAnkenbrand — Sun, 07 Apr 2019 17:06:35 GMT

A question to the R&D.

When I switch a firewall from kernel mode to user mode has this a performance impact.

Is it better for the performance to enable user mode on a firewall or not?

Does it make sense to enable user mode even for a few cores?

Enable user mode:

> cpprod_util FwSetUsermode 1
> reboot

More to user mode here:

How to enable USFW (User-Mode Firewall) on a 23900 appliance

Re: R80.10 User-Mode Firewall and performance impact

Timothy_Hall — Sun, 07 Apr 2019 13:48:08 GMT

While there is always a performance penalty for making a transition from kernel space to process/user space, the ability to add cores beyond the kernel memory imposed limit of 40 via CoreXL may mitigate it. Sounds to me like the answer will be "it depends". 🙂

Re: R80.10 User-Mode Firewall and performance impact

HeikoAnkenbrand — Sun, 07 Apr 2019 16:39:45 GMT

Hi @Timothy_Hall,

I have for project several HP DL380 G10 servers in the LAB. I'm run some performance tests in the next days.

1) I will install package generators on 3 servers with 10GBit network cards and simulate mixed traffic.
2) And 3 servers as packet destination.
3) Firewall with two 10 GBit network cards.

Then I can play a little bit in the lab with:

- user mode vs. kenel mode
- multi queueing on and off
- rulebase with 20 rules versus 1000 rules
- SecureXL on and off
- all blades on vs. fw and ips only
- 32 bit os vs. 64 bit OS

I always wanted to do that:-)

Re: R80.10 User-Mode Firewall and performance impact

PhoneBoy — Sun, 07 Apr 2019 21:24:34 GMT

In R80.20, there is only 64bit OS.
At least from what I was told by R&D, there probably won't be a performance benefit to using usermode firewall on a system with less than 40 cores.

Re: R80.10 User-Mode Firewall and performance impact

_Val_ — Mon, 08 Apr 2019 09:12:03 GMT

Not immediate performance benefits, but capacity should be higher than in Kernel mode, for huge amount of connections, since we are no longer limited by kernel memory for keeping all kernel tables there.

Re: R80.10 User-Mode Firewall and performance impact

phlrnnr — Tue, 14 May 2019 20:05:15 GMT

It appears USFW mode will be enabled by default starting in R80.30 (per sk149973). So, it seems that Checkpoint is counting on it performing better than kernel mode. That article is specific to the 23900, but it doesn't say that USFW will only be enabled by default on the 23900. The statement only says it will be the default for R80.30.

Re: R80.10 User-Mode Firewall and performance impact

Dorit_Dor — Tue, 14 May 2019 20:24:05 GMT

R80.30 w kernel 3.10 which is in EA comes w USFW enabled. Multiple different reasons drive better performance there but it doesnt translate to performing better on R80.10 and gaia. In fact we fixed multiple issues in the release which is why it wasnt the default before. If you are interested, use the EA version as its near GA (consider it release candidate).

There are different benefits of USFW that we will document over time. Its specifically performs better w many cores but it has benefits in all platforms

Re: R80.10 User-Mode Firewall and performance impact

phlrnnr — Wed, 15 May 2019 12:25:55 GMT

So, would you only recommend USFW on R80.30, and leave it disabled on R80.20 and below? If you had to deploy a new 23900 cluster with R80.20 on it running NGTX blades, would you enable USFW to get access to the 'extra' cores?

Re: R80.10 User-Mode Firewall and performance impact

Dorit_Dor — Wed, 15 May 2019 12:40:36 GMT

My own answer will be: USFW is tested and therefore enabled w R80.30+3.10 - anyone that needs it should use this version. We did fix issues to get there so lets not challenge other versions as we know they will have issues.

We may still decide for practical reasons to enable it in previous releases but it should be isolated, well verified, highly needed use case and I recommend to look at this as exception.

Soon R80.30+3.10 will be GA (potentially this month) so lets look forward and not waste our cycles on things we already solved

Re: R80.10 User-Mode Firewall and performance impact

Nicholas_Cuba — Tue, 21 May 2019 18:02:55 GMT

Hmm. We are running the EA R80.30 w/ 3.10 kernel on our production cluster of 4800s. cpprod_util FwIsUsermode gives a 0, which I am assuming means that USMF isn't enabled.

Re: R80.10 User-Mode Firewall and performance impact

Timothy_Hall — Wed, 22 May 2019 11:55:01 GMT

Run the command lsmod. If you see a single driver called fwmod in the output, USFW is active. If you see multiple instances of fw_X driver instead USFW is not enabled.

Re: R80.10 User-Mode Firewall and performance impact

Nicholas_Cuba — Wed, 22 May 2019 14:50:12 GMT

Thanks for the command to know for sure if USFW is enabled.

The lsmod does show the three fw workers, and no fwmod driver, so no USFW on this EA R80.30 build.

lsmod | grep fw
fw_2 45566636 54
fw_1 45566636 58
fw_0 45566636 110

fw ver
This is Check Point's software version R80.30 - Build 022

uname -r
3.10.0-693cpx86_64

Re: R80.10 User-Mode Firewall and performance impact

Timothy_Hall — Wed, 22 May 2019 18:04:39 GMT

Interesting, I was under the impression that USFW would be the default for R80.30+ with the 3.10 kernel. Perhaps there needs to be a minimum number of physical cores (like 40) present for it to be enabled by default? You only appear to have 4...

Re: R80.10 User-Mode Firewall and performance impact

Dorit_Dor — Wed, 22 May 2019 18:18:56 GMT

Its “by default” when there are MANY cores - today with less cores there is some benefits but also some “cost”.

in the future we will enable on less cores...

Re: R80.10 User-Mode Firewall and performance impact

Nicholas_Cuba — Wed, 22 May 2019 18:25:35 GMT

It's not a problem that our 4800's running the EA program don't have the USFW enabled; we signed up for EA, we'll run the EA code we're given.😉

I just wanted to provide a counterpoint showing USFW isn't always enabled by default on R80.30, EA with new kernel 3.10.

Re: R80.10 User-Mode Firewall and performance impact

PhoneBoy — Wed, 22 May 2019 22:51:03 GMT

To clarify, on platforms with 40 or more cores like the 23900, USFW will be enabled by default in R80.30-3.10.
USFW is required to utilize more than 40 cores.
You can enable it on other platforms with less cores, but it is not necessary.