Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Young_Wook_Choi
Contributor

Are there any use cases for the 23800 model as USFW?

 

Hello,

Are there any use cases for the 23800 model as USFW?

The 23500/23800 models have SMT (HyperThreading) enabled by default. However, USFW mode is disabled.

I recently upgraded to version R80.40.
(I did a clean install.)

SMT is active, but it is installed with Kernel Mode firewall.

I want to use more than 40 Cores as Workers using Dynamic Balancing, but I can't do that because it is a Kernel Mode firewall.

I want to change this to USFW mode, but I am careful because the default setting is Kernel Mode.

Do you have any use case in USFW mode? (23500/23800 appliance)

I am wondering why the above two models operate as a Kernel Mode firewall by default.

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

USFW should be enabled by default on the 23800 because it has more than 40 cores with SMT enabled.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
The fact it’s not probably should be brought up through a TAC case.
Meanwhile, you should safely be able to enable it.

Timothy_Hall
Champion
Champion

Actually I believe kernel mode firewall is expected default behavior for a 23800 (48-core w/ SMT), while the 23900 (72-core w/ SMT) is the lone exception among the 2012 appliance series that has USFW enabled by default.  Please see my post here which resulted from a chat with R&D:

https://community.checkpoint.com/t5/General-Topics/USFW-on-appliances-with-less-than-40-cores/m-p/86...

As to why USFW is not enabled by default on the 23800, my guess is that the resources of the extra 4 physical cores (8 w/ SMT) above 40 made available by USFW  being enabled is not sufficient to overcome the roughly 20% performance reduction when USFW is active vs. the original kernel mode.  Obviously it is worth it on a 23900 where an extra 32 cores become usable with USFW beyond the 40-core kernel mode limitation.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
Young_Wook_Choi
Contributor

Hi,

I think the same way.
But see sk167052.
For 23500 models, USFW is disabled by default from R80.40 and higher. (The 23800 model is not even mentioned at all.)

What could be the reason?

111.jpg

222.jpg

 

0 Kudos

Any toy with 40+ cores should have USFW enabled by default. I think it is clearly stated in the table above. I think you will not suffer from that 20% performance penalty because USFW was improved in R80.40 (assuming latest JHF is installed). This needs to be re-evaluated if you ask me.

shais
Employee
Employee

Hi,

sk167052 is constantly updated with appliances that passed our certification and may move to USFW.

23500/23800 are not yet on the list but they did pass the certification from our side and can be moved to USFW if needed (I will make sure to update the SK as well)

As for performance impact, indeed R80.40 contain some improvements and it is highly suggested to upgrade to latest hotfix as we contently updating our jumbo with USFW performance improvement

Nir_Shamir
Employee
Employee

Hi,

I have a customer asking about it and I see that the SK is still no updates with 23800 / 23500 appliances.

so is it safe to activate USFW on 23800 ? and can we update the SK ?

thanks.

0 Kudos