Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Employee+
Employee+

User-Space firewall support for R80.30 3.10 and above

User-space Firewall (USFW) is a stable and mature infrastructure that allows Check Point Firewall instances to run in user-space mode, It has been used for several years now on VSX.

As such, Check Point decided to gradually move appliances to utilize USFW starting R80.30 3.10

The motivation for the USFW infrastructure development:

  • Support a large number of FW instances.
  • Quick process recovery upon a failure or a crash.
  • Faster development of new features.
  • Improve system traceability, reduce troubleshooting time.

 

FAQ:

Q: Which Security Gateways/Appliances can utilize USFW?
A: For the list of Security Gateways and appliances that support USFW refer to sk167052

Q: My Gateway is running only 4 cores / VM, why is my machine running in USFW?
A: USFW will gradually become the default mode in future releases, new appliance models are designed and shipped configured to use USFW as the default mode.

Q: Most of my traffic is handled through the SecureXL Fast path, will I benefit from USFW?   
A: SecureXL on USFW mode runs in kernel mode, traffic will be accelerated (in kernel) efficiently similar to the Kernel Mode

Q: Is there any reason to switch back to Kernel mode?
A: Check Point is gradually transferring to USFW mode. It is preferred and best practice to keep the security GW in its default mode, yet it will be possible to switch to kernel mode – please see SK167052 for more details.

Q: How do I determine if the Security Gateway runs using USFW?
A: Run “cpprod_util FwIsUSFW”  (1 = USFW)

Q: Does a USFW work the same as it works with VSX? Do the same limitations apply?
A: Although USFW is using a similar infrastructure as used with VSX, the limitations are different. Refer to sk167052 for USFW known limitations.  

 

For any additional questions, feel free to tag me in your USFW posts.

5 Replies
Highlighted

@shais, may you please clarify how is USFW affecting CPU usage ? There were reports that on some appliances enabling USFW causes much higher processor utilization compared to KSFW. 

0 Kudos
Highlighted

Just to mention that in theory with USFW enabled it should be possible to replace relevant fw modules without OS reboot 🙂

0 Kudos
Highlighted
Admin
Admin

@HristoGrigorov, what are you trying to say?

0 Kudos
Highlighted

@_Val_ I mean that it is possible to replace and reload user space binaries without OS reboot. With some downtime of course but still it will be much quicker. It is at least technologically possible. 

0 Kudos
Highlighted
Employee+
Employee+

USFW should not impact the CPU, we've identified few USFW specific cases that cause excessive CPU utilization and they were fixed and integrated to our Jumbo hotfixes.

If we still have such issues, please contact support and allow us to investigate the issue.

 

As for your input regarding replacement of FW modules without reboot - You are correct that USFW open this possibility for us and we indeed taking this into consideration and validation

0 Kudos