cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

R80.x - Performance Tuning Tip – User Mode Firewall vs. Kernel Mode Firewall

 
What is a User Mode Firewall?


In “Kernel Mode Firewall” KMFW, the maximum number of running cores is limited to 40 because of the Linux/Intel limitation of 2GB kernel memory, and because CoreXL architecture needs to load a large driver (~42MB) dozens of times (according to the CPU number, and up to 40 times). Newer platforms that contain more than 40 cores e.g., 23900 or open server are not fully utilized.

The solution of the problem is a firewall in the user mode of the Linux operating system.

USFW “User Space Firewall” or UMFW stands for “User Mode Firewall”, and it is based on proven VSX code. This mode was introduced in R80.10.

According to SK the UMFW is enabled from R80.30 by default and is customized via the installation process. To confirm this I called a friend (He's a HP dealer.) and asked him if he had a HP DL380 with more then 40 cores in his company:-) Two hours later we were sitting in his LAB and installed R80.30 on this system. If the info should not be correct, please small info to me, then I change that in the article.

Result:

GAIA version/ Kernel/ Cores Firewall mode Check
R80.30 kernel 3.10 more then 35* cores UMFW is enabled checked on HP DL 380 G10 2 * Platinum 8180MProcessor 28 cores = 56 cores
R80.30 kernel 3.10 less then 35* cores KMFW is enabled checked on HP DL 380 G10 1 * Platinum 8180MProcessor 28 cores
R80.30 kernel 2.6 KMFW is enabled checked on VMWare with 30 cores and with 46 cores
R80.40 EA (default 3.10 kernel) UMFW is enabled by default checked on VMWare with 4 cores


*) It could be 40 cores. We are in the middle of a discussion on this topic. Read more here: 
    High CPU utilization during process fwk0_dev_0 (UMFW vs. KMFW) 

Threads of process fwk0_dev_0


From a performance point of view I could not see any differences between UMFW and KMFW. I noticed that the process fwk0_dev_0 generates a very high CPU load in the UMFW. My guess as to the purpose of the fwk0_dev_0 is that it acts as the liaison between the multiple fwk firewall worker processes (fw instance thread that takes care for the packet processing) and the single fwmod kernel driver instance and the process for high priority cluster thread.

If you want to change the mode from UMFW to KMFW this can be done by changing the registry parameter FwIsUsermode by cpprod_util command. In UMFW the fw instances are threads of the fwk0_dev_0 so by default the top shows all the threads cpu utilization under the main thread. Top has the option to present the utilization per thread as well.

A small calculation sample for the utilization of process fwk0_dev_0:

                                 max_CoreXL_number            max_CoreXL_number
fwk0_dev_0      =      ∑       fwk0_x                    +                fwk0_dev_x          +        fwk0_kissd        +          fwk0_hp
                                 x=0                                              x=0

Thread from process fwk0_dev_0:

- fwk0_X              ->  fw instance thread that takes care for the packet processing
- fwk0_dev_X      -> the thread that takes care for communication between fw instances and other CP daemons 
- fwk0_kissd       -> legacy Kernel Infrastructure (obsolete)
- fwk0_hp            ->  (high priority) cluster thread

Note:
UMFW is not supposed to run with less than 35 cores in R80.10, R80.20 and R80.30

R80.30

In R80.30 kernel 30.10 open servers  always load in USFW mode. If the  open server has less than 35 fw instances it’s safe to move to kernel mode even on R80.30 with kernel 3.10. 

The number of fw instances is derived from the number of cores on the server and the number of core defined by the license.

R80.40+

With R80.40 EA the UMFW is always active by default on kernel 3.10.

Tip

 

Tip 1 - To make sure that UMFW is activated, run the following command


To make sure that UMFW is activated, run the following command:

# cpprod_util FwIsUsermode

1 = User Mode Firewall
0 = Kernel Mode Firewall

Tip 2 - enable or disable the “User Mode Firewall”


Follow sk149973

Tip 3 - Switch to Kernel Mode Firewall, do the following

 
Note:
UMFW is not supposed to run with less than 40 cores in R80.10, R80.20 and R80.30

1) Run the following clish commands:
    # cpprod_util FwSetUsFwmachine 0
    # cpprod_util FwSetUsermode 0
2) Edit the boot.conf file (vi $FWDIR/boot/boot.conf) with the following:
    KERN_INSTANCE_NUM 40
3) Reboot.

Tip 4 - Switch to User Mode Firewall, do the following

 
1) Run the following clish commands:
    # cpprod_util FwSetUsFwmachine 1
    # cpprod_util FwSetUsermode 1
2) Edit the boot.conf file (vi $FWDIR/boot/boot.conf) with the following:
    KERN_INSTANCE_NUM 62
3) Reboot.

Tip 5 - Show thread

 utilization of process

 fwk0_dev_0

 


1) search the prozess ID of process fwk0_dev_0

# top

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
10219 admin 0 -20 1070m 449m 134m S 2 24.0 0:17.19 fwk0_dev_0

2) Now check the utilization of the threads:

#

top -Hbn1 -p 10219

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
10219 admin 0 -20 1070m 449m 134m S 0 24.0 0:03.49 fwk0_dev_0
10220 admin 0 -20 1070m 449m 134m S 0 24.0 0:00.00 fwk0_kissd
10436 admin 0 -20 1070m 449m 134m S 0 24.0 0:00.57 fwk0_0
10437 admin 0 -20 1070m 449m 134m S 0 24.0 0:00.64 fwk0_1
10438 admin 0 -20 1070m 449m 134m S 0 24.0 0:00.67 fwk0_2
10439 admin 0 -20 1070m 449m 134m S 0 24.0 0:00.80 fwk0_3
10440 admin RT -20 1070m 449m 134m S 0 24.0 0:00.76 fwk0_hp
10441 admin 0 -20 1070m 449m 134m S 0 24.0 0:00.15 fwk0_dev_1
10442 admin 0 -20 1070m 449m 134m S 0 24.0 0:00.09 fwk0_dev_2
10443 admin 0 -20 1070m 449m 134m S 0 24.0 0:00.09 fwk0_dev_3

Chapter

More interesting articles:

- R80.x Architecture and Performance Tuning - Link Collection
- Article list (Heiko Ankenbrand)
- High CPU utilization during process fwk0_dev_0 (UMFW vs. KMFW) 

Copyright by Heiko Ankenbrand 1996-2020

2 Replies

Re: R80.x - Performance Tuning Tip – User Mode Firewall vs. Kernel Mode Firewall

Nice information.

I have the problem with high CPU usage of the process fwk0_dev_0.

You can read more in this article:

 

Re: R80.x - Performance Tuning Tip – User Mode Firewall vs. Kernel Mode Firewall

All informations from article High CPU utilization during process fwk0_dev_0 (UMFW vs. KMFW)  added.

Tags (1)