Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion Champion
Champion

R80.10 User-Mode Firewall and performance impact

 

A question to the R&D.

When I switch a firewall from kernel mode to user mode has this a performance impact.

Is it better for the performance to enable user mode on  a firewall or not?

Does it make sense to enable user mode even for a few cores?

Enable user mode:

> cpprod_util FwSetUsermode 1
> reboot

More to user mode here:

How to enable USFW (User-Mode Firewall) on a 23900 appliance

➜ CCSM Elite, CCME, CCTE
15 Replies
Timothy_Hall
Champion
Champion

While there is always a performance penalty for making a transition from kernel space to process/user space, the ability to add cores beyond the kernel memory imposed limit of 40 via CoreXL may mitigate it.  Sounds to me like the answer will be "it depends".  🙂 

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Hi @Timothy_Hall,

I have for project several HP DL380 G10 servers in the LAB. I'm run some performance tests in the next days.

1) I will install package generators on 3 servers with 10GBit network cards and simulate mixed traffic.
2) And 3 servers as packet destination.
3) Firewall with two 10 GBit network cards.

Then I can play a little bit in the lab with:

- user mode vs. kenel mode
- multi queueing on and off
- rulebase with 20 rules versus 1000 rules
- SecureXL on and off
- all blades on vs. fw and ips only
- 32 bit os vs. 64 bit OS

I always wanted to do that:-)

 

 

 

 

➜ CCSM Elite, CCME, CCTE
PhoneBoy
Admin
Admin

In R80.20, there is only 64bit OS.
At least from what I was told by R&D, there probably won't be a performance benefit to using usermode firewall on a system with less than 40 cores.
_Val_
Admin
Admin

Not immediate performance benefits, but capacity should be higher than in Kernel mode, for huge amount of connections, since we are no longer limited by kernel memory for keeping all kernel tables there.

 

 

0 Kudos
phlrnnr
Advisor

It appears USFW mode will be enabled by default starting in R80.30 (per sk149973).  So, it seems that Checkpoint is counting on it performing better than kernel mode.  That article is specific to the 23900, but it doesn't say that USFW will only be enabled by default on the 23900.  The statement only says it will be the default for R80.30.

0 Kudos
Dorit_Dor
Employee
Employee

R80.30 w kernel 3.10 which is in EA comes w USFW enabled. Multiple different reasons drive better performance there but it doesnt translate to performing better on R80.10 and gaia. In fact we fixed multiple issues in the release which is why it wasnt the default before. If you are interested, use the EA version as its near GA (consider it release candidate). 

There are different benefits of USFW that we will document over time. Its specifically performs better w many cores but it has benefits in all platforms 

 

 

 

phlrnnr
Advisor

So, would you only recommend USFW on R80.30, and leave it disabled on R80.20 and below?  If you had to deploy a new 23900 cluster with R80.20 on it running NGTX blades, would you enable USFW to get access to the 'extra' cores?

0 Kudos
Dorit_Dor
Employee
Employee

My own answer will be: USFW is tested and therefore enabled w R80.30+3.10 - anyone that needs it should use this version. We did fix issues to get there so lets not challenge other versions as we know they will have issues. 

We may still decide for practical reasons to enable it in previous releases but it should be isolated, well verified, highly needed use case and I recommend to look at this as exception. 

Soon R80.30+3.10 will be GA (potentially this month) so lets look forward and not waste our cycles on things we already solved

Nicholas_Cuba
Contributor
Contributor

Hmm. We are running the EA R80.30 w/ 3.10 kernel on our production cluster of 4800s. cpprod_util FwIsUsermode gives a 0, which I am assuming means that USMF isn't enabled.

0 Kudos
Timothy_Hall
Champion
Champion

Run the command lsmod.  If you see a single driver called fwmod in the output, USFW is active.  If you see multiple instances of fw_X driver instead USFW is not enabled.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Nicholas_Cuba
Contributor
Contributor

Thanks for the command to know for sure if USFW is enabled.

The lsmod does show the three fw workers, and no fwmod driver,  so no USFW on this EA R80.30 build.

lsmod | grep fw
fw_2 45566636 54
fw_1 45566636 58
fw_0 45566636 110

fw ver
This is Check Point's software version R80.30 - Build 022

uname -r
3.10.0-693cpx86_64

0 Kudos
Timothy_Hall
Champion
Champion

Interesting, I was under the impression that USFW would be the default for R80.30+ with the 3.10 kernel.  Perhaps there needs to be a minimum number of physical cores (like 40) present for it to be enabled by default?  You only appear to have 4...

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Dorit_Dor
Employee
Employee

Its “by default” when there are MANY cores - today with less cores there is some benefits but also some “cost”.

in the future we will enable on less cores... 

Nicholas_Cuba
Contributor
Contributor

It's not a problem that our 4800's running the EA program don't have the USFW enabled; we signed up for EA, we'll run the EA code we're given.😉

I just wanted to provide a counterpoint showing USFW isn't always enabled by default on R80.30, EA  with new kernel 3.10.

 

0 Kudos
PhoneBoy
Admin
Admin

To clarify, on platforms with 40 or more cores like the 23900, USFW will be enabled by default in R80.30-3.10.
USFW is required to utilize more than 40 cores.
You can enable it on other platforms with less cores, but it is not necessary.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events