- Local User Groups
Welcome to CheckMates
Journey to the Cloud with Confidence!
Webinar: Wed 10 June @ 8am PT | 11am ET
I am Gil Shwed
Ask Me Anything!
for working from home
APT41 and Living Off The Land
A question to the R&D.
When I switch a firewall from kernel mode to user mode has this a performance impact.
Is it better for the performance to enable user mode on a firewall or not?
Does it make sense to enable user mode even for a few cores?
Enable user mode:
> cpprod_util FwSetUsermode 1
More to user mode here:
While there is always a performance penalty for making a transition from kernel space to process/user space, the ability to add cores beyond the kernel memory imposed limit of 40 via CoreXL may mitigate it. Sounds to me like the answer will be "it depends". 🙂
I have for project several HP DL380 G10 servers in the LAB. I'm run some performance tests in the next days.
1) I will install package generators on 3 servers with 10GBit network cards and simulate mixed traffic.
2) And 3 servers as packet destination.
3) Firewall with two 10 GBit network cards.
Then I can play a little bit in the lab with:
- user mode vs. kenel mode
- multi queueing on and off
- rulebase with 20 rules versus 1000 rules
- SecureXL on and off
- all blades on vs. fw and ips only
- 32 bit os vs. 64 bit OS
I always wanted to do that:-)
Not immediate performance benefits, but capacity should be higher than in Kernel mode, for huge amount of connections, since we are no longer limited by kernel memory for keeping all kernel tables there.
It appears USFW mode will be enabled by default starting in R80.30 (per sk149973). So, it seems that Checkpoint is counting on it performing better than kernel mode. That article is specific to the 23900, but it doesn't say that USFW will only be enabled by default on the 23900. The statement only says it will be the default for R80.30.
R80.30 w kernel 3.10 which is in EA comes w USFW enabled. Multiple different reasons drive better performance there but it doesnt translate to performing better on R80.10 and gaia. In fact we fixed multiple issues in the release which is why it wasnt the default before. If you are interested, use the EA version as its near GA (consider it release candidate).
There are different benefits of USFW that we will document over time. Its specifically performs better w many cores but it has benefits in all platforms
So, would you only recommend USFW on R80.30, and leave it disabled on R80.20 and below? If you had to deploy a new 23900 cluster with R80.20 on it running NGTX blades, would you enable USFW to get access to the 'extra' cores?
My own answer will be: USFW is tested and therefore enabled w R80.30+3.10 - anyone that needs it should use this version. We did fix issues to get there so lets not challenge other versions as we know they will have issues.
We may still decide for practical reasons to enable it in previous releases but it should be isolated, well verified, highly needed use case and I recommend to look at this as exception.
Soon R80.30+3.10 will be GA (potentially this month) so lets look forward and not waste our cycles on things we already solved
Hmm. We are running the EA R80.30 w/ 3.10 kernel on our production cluster of 4800s. cpprod_util FwIsUsermode gives a 0, which I am assuming means that USMF isn't enabled.
Run the command lsmod. If you see a single driver called fwmod in the output, USFW is active. If you see multiple instances of fw_X driver instead USFW is not enabled.
Thanks for the command to know for sure if USFW is enabled.
The lsmod does show the three fw workers, and no fwmod driver, so no USFW on this EA R80.30 build.
lsmod | grep fw
fw_2 45566636 54
fw_1 45566636 58
fw_0 45566636 110
This is Check Point's software version R80.30 - Build 022
Interesting, I was under the impression that USFW would be the default for R80.30+ with the 3.10 kernel. Perhaps there needs to be a minimum number of physical cores (like 40) present for it to be enabled by default? You only appear to have 4...
Its “by default” when there are MANY cores - today with less cores there is some benefits but also some “cost”.
in the future we will enable on less cores...
It's not a problem that our 4800's running the EA program don't have the USFW enabled; we signed up for EA, we'll run the EA code we're given.😉
I just wanted to provide a counterpoint showing USFW isn't always enabled by default on R80.30, EA with new kernel 3.10.