This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Young_Wook_Choi
Contributor
‎2020-12-29 07:30 PM

Are there any use cases for the 23800 model as USFW?

 

Hello,

Are there any use cases for the 23800 model as USFW?

The 23500/23800 models have SMT (HyperThreading) enabled by default. However, USFW mode is disabled.

I recently upgraded to version R80.40.
(I did a clean install.)

SMT is active, but it is installed with Kernel Mode firewall.

I want to use more than 40 Cores as Workers using Dynamic Balancing, but I can't do that because it is a Kernel Mode firewall.

I want to change this to USFW mode, but I am careful because the default setting is Kernel Mode.

Do you have any use case in USFW mode? (23500/23800 appliance)

I am wondering why the above two models operate as a Kernel Mode firewall by default.

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2020-12-29 07:59 PM

USFW should be enabled by default on the 23800 because it has more than 40 cores with SMT enabled.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
The fact it’s not probably should be brought up through a TAC case.
Meanwhile, you should safely be able to enable it.

Timothy_Hall
Legend Legend
Legend
‎2020-12-29 08:50 PM
In response to PhoneBoy

Actually I believe kernel mode firewall is expected default behavior for a 23800 (48-core w/ SMT), while the 23900 (72-core w/ SMT) is the lone exception among the 2012 appliance series that has USFW enabled by default.  Please see my post here which resulted from a chat with R&D:

https://community.checkpoint.com/t5/General-Topics/USFW-on-appliances-with-less-than-40-cores/m-p/86...

As to why USFW is not enabled by default on the 23800, my guess is that the resources of the extra 4 physical cores (8 w/ SMT) above 40 made available by USFW  being enabled is not sufficient to overcome the roughly 20% performance reduction when USFW is active vs. the original kernel mode.  Obviously it is worth it on a 23900 where an extra 32 cores become usable with USFW beyond the 40-core kernel mode limitation.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
Young_Wook_Choi
Contributor
‎2020-12-29 08:57 PM
In response to PhoneBoy

Hi,

I think the same way.
But see sk167052.
For 23500 models, USFW is disabled by default from R80.40 and higher. (The 23800 model is not even mentioned at all.)

What could be the reason?

111.jpg

222.jpg

 

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2020-12-29 09:32 PM

Any toy with 40+ cores should have USFW enabled by default. I think it is clearly stated in the table above. I think you will not suffer from that 20% performance penalty because USFW was improved in R80.40 (assuming latest JHF is installed). This needs to be re-evaluated if you ask me.

shais
Employee
Employee
‎2020-12-30 01:17 AM

Hi,

sk167052 is constantly updated with appliances that passed our certification and may move to USFW.

23500/23800 are not yet on the list but they did pass the certification from our side and can be moved to USFW if needed (I will make sure to update the SK as well)

As for performance impact, indeed R80.40 contain some improvements and it is highly suggested to upgrade to latest hotfix as we contently updating our jumbo with USFW performance improvement

Nir_Shamir
Employee Employee
Employee
‎2021-05-06 03:01 AM
In response to shais

Hi,

I have a customer asking about it and I see that the SK is still no updates with 23800 / 23500 appliances.

so is it safe to activate USFW on 23800 ? and can we update the SK ?

thanks.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top