This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jslimma_soloiro
Participant
‎2025-03-27 08:05 AM

Questions about User Mode and Kernel Mode

Hello everyone,

I have a question about which mode the cluster is working in. I will share my scenario with you.

My environment has a VSX (VSLS) cluster with 2 (two) VSs. I am on version R81.20 JHF 92. My appliance model is 9400 with 20 CPUs. My main VS has 14 dedicated CPU cores.

I am facing a performance problem in this main VS, where we have peaks of ~80% CPU and in some cases there is low network performance.

I was checking the acceleration section and came across the following information in cpview:

UPPAK Status Off (!)

I checked the SecureXL status and it shows the following information:

[Expert@fw1]# fwaccel stat
+---------------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features | +--------------------------------------------------------------------------------+
|0 |KPPAK* |enabled | |Acceleration,Cryptography |
| | | | | |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,3DES,DES,AES-128,AES-256,|
| | | | |ESP,LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256, |
| | | | |SHA384,SHA512 |
+--------------------------------------------------------------------------------+

* WARNING: (null).
* Disabled at: Tue Feb 25 08:41:35 2025
*Refer to sk179432 for more information.

Accept Templates : enabled
Drop Templates : enabled
NAT Templates : enabled
LightSpeed ​​Accel : disabled


[Expert@fw1]#

I noticed that the SecureXL operating mode is "Kernel Mode".

I checked the firewall CLI to make sure which mode is active and I saw that it was User Mode.


[Expert@fw1]# cpprod_util FwIsUsermode
1

1 = User Mode Firewall
0 = Kernel Mode Firewall

I also ran the fwaccel stat command on vs 0 and it showed the following information:

fwaccel stat
+---------------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+---------------------------------------------------------------------------------+
|0 |KPPAK* |enabled |Sync,Mgmt,eth1-05, |Acceleration,Cryptography |
| | | |eth1-01,eth1-06,eth1-02 | |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,3DES,DES,AES-128,AES-256,|
| | | | |ESP,LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256, |
| | | | |SHA384,SHA512 |
+--------------------------------------------------------------------------------+

* WARNING: SecureXL User Space Mode was disabled. Reason: .
* Disabled at: Tue Feb 25 08:41:35 2025
*Refer to sk179432 for more information.

Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled

The result above informs that User Space mode has been disabled but does not explain why.

I would like your help to better understand this information.

12 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2025-03-27 01:25 PM

I believe this is because you have a feature enabled that UPPAK does not support (sk179432 and sk32578 section 4) or the usim daemon has crashed repeatedly.  Anything in these directories?

  • /var/log/dump/usermode/usim*
  • /var/log/usim_crash/crash_list

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
jslimma_soloiro
Participant
‎2025-03-27 01:50 PM
In response to Timothy_Hall

Hi @Timothy_Hall 

I took a look at the two SKs you sent and did not identify any incompatibility with the enabled features. All the functions active in the gateway are supported.

Regarding the directories, I did not find any information:

ls -lha /var/log/dump/usermode/usim*
ls: cannot access /var/log/dump/usermode/usim*: No such file or directory

ls -lha /var/log/usim_crash/crash_list
ls: cannot access /var/log/usim_crash/crash_list: No such file or directory

Do you have any other suggestions to consider?

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2025-03-28 08:06 AM
In response to jslimma_soloiro

Strange that it is not reporting the reason UPPAK is disabled, does the date it was disabled roughly correlate with when the system was first booted up?  Curious to know if it disabled UPPAK around boot time (which I would assume means an incompatible feature was detected) or if UPPAK was enabled originally then got disabled (which could be due to instability).

Anything interesting in /var/log/usim_x86.elg, /var/log/messages, or $FWDIR/log/fwk.elg around the time it was reported as disabled?

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
jslimma_soloiro
Participant
‎2025-03-28 10:34 AM
In response to Timothy_Hall

Strange that it's not reporting the reason UPPAK is disabled, does the date it was disabled roughly correlate to when the system was first booted? Curious if it disabled UPPAK close to the time of boot (which I assume means an incompatible feature was detected) or if UPPAK was originally enabled and then disabled (which could be due to instability).

Anything interesting in /var/log/usim_x86.elg, /var/log/messages or $FWDIR/log/fwk.elg around the time it was reported as disabled?

Hi @Timothy_Hall 

I've attached a printout of the /var/log/usim_x86.elg and $FWDIR/log/fwk.elg files. At the end of the /var/log/usim_x86.elg file there seems to be some memory issue.

Preview file
492 KB
Preview file
574 KB
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2025-03-29 06:26 AM
In response to jslimma_soloiro

Hmm not sure those log files are useful, there is little documentation for the guts of UPPAK right now and you must have a Quantum Force or Lightspeed appliance to enable UPPAK (can't do it in VMware) so looks like it is time to get in touch with TAC.  Hopefully showing them this thread will help speed things along.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
jslimma_soloiro
Participant
‎2025-04-01 06:37 AM
In response to Timothy_Hall

I have opened a ticket with TAC and now i´m just waiting for a feedback.

0 Kudos
edgarp
Employee
Employee
‎2025-07-22 04:25 PM
In response to jslimma_soloiro

Hello @jslimma_soloiro 

Did you have any response from TAC?

I have a similar issue: Quantum Force 9700, VSX in cluster HA, SecureXL enabled in KPPAK with Firewall in User Space mode. 

Regards,

Edgar

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-07-22 07:40 PM
In response to edgarp

If your Jumbo level is the latest recommended please take it internally with TAC though HCP should typically help to highlight any crashes / coredumps.

The combination you've noted is not unexpected and could be the result of configuration in some cases (refer: sk167052 - just above the Note).

 

CCSM R77/R80/ELITE
_Val_
Admin
Admin
‎2025-07-23 12:40 AM
In response to edgarp

@edgarp  make sure your customer has a separate TAC case opened for that.

Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-03-27 03:42 PM

Just to clarify a point you'll see a table at the end of sk167052

KPPAK/UPPAK are different things from KSFW/USFW.

CCSM R77/R80/ELITE
jslimma_soloiro
Participant
‎2025-04-01 06:39 AM
In response to Chris_Atkinson

Ok @Chris_Atkinson 

I understand that it´s different and now i´m waiting for a feedback from TAC.

 

Thanks

0 Kudos
PhoneBoy
Admin
Admin
‎2025-03-28 03:04 PM

USFW effectively moves the firewall workers to userspace.
While we introduced USFW in the R80.x timeframe, it's been used for VSX since R75.40.
It's not the issue here.

UPPAK moves SecureXL itself into userspace.
For a detailed discussion, listen here: https://community.checkpoint.com/t5/CheckMates-Go-Cyber-Security/S07E03-What-is-UPPAK/ba-p/245115/ju... 
While it is expected to be the default mode/supported everywhere in upcoming versions, it is not supported everywhere in all situations currently.
Please review this SK for details: https://support.checkpoint.com/results/sk/sk32578 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events