Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion Champion
Champion

R80.x Security Gateway Architecture (Acceleration Card Offloading)

Introduction

 R80.20 and above offer many technical innovations regarding R77 and R80.10. I will look at the new Falcon Acceleration Cards in this article.

SecureXL is a software acceleration product installed on security gateways and new acceleration cards. Performance Pack uses SecureXL technology and other innovative network acceleration techniques to deliver wire-speed performance for security gateways. SecureXL is implemented either in software or in hardware:

  •       SAM cards on Check Point 21000 appliances
  •       ADP cards on IP Series appliances
  •       Falcon cards (new in R80.20) on different appliances

The SecureXL device minimizes the connections that are processed by the INSPECT driver.

Chapter

More interesting articles:

- R80.x Architecture and Performance Tuning - Link Collection
- Article list (Heiko Ankenbrand)

New acceleration Falcon architecture

The new acceleration Falcon architecture with R80.20+:

  • Low Latency
  • High Connections Rate
  • SSL Boost
  • Deep Inspection Acceleration
  • Modular Connectivity
  • Multible Acceleration modules
  • Falcon 1G (8x1 GbE), 10G (4x10 GbE) and 40G (2x40 GbE)
  • Compatible with 5900, 15000 & 23000 Appliance Series

What’s new in acceleration high level architecture:

  •         SecureXL on Acceleration Card (AC)
  •         Streaming over SecureXL
  •         Lite Parsers
  •         Async SecureXL
  •         Scalable SecureXL
  •         Acceleration stickiness
  •         Policy push acceleration
SecureXL architecture on Acceleration Card

R80.20 SecureXL adds support for Falcon cards to offloading from appliance to acceleration card leaving the appliance to do more.

Following features are offloaded to the acceleration card:

  •       SecureXL
  •       Streaming
  •       TLS encryption und decryption
  •       Parsers
  •       Pattern Matching

Following features are working on the host (appliance):

  •        Contexts
  •        Blades (incl. user space)
  •        Rule base
  •        Headers
  •        And more complex logic

    The following flowchart shows the new offloaded features of falcon architecture in pink.


Streaming – serves an important function in the NGTP software architecture. The streaming process creates an ordered packet stream and directly performs a number of security functions on the stream. NGTP can assemble packets into a stream in two ways, passive or active, depending on the nature of the traffic. Each has advantages and disadvantages. The passive mode (PSL) gives little opportunity for modifying the traffic stream. In contrast, the active mode can modify the connection. Active mode essentially proxies the TCP connection and is necessary when performing HTTPS inspection. Active streaming (CPAS) also facilitates timing and buffering when inspecting content such as large files. Keeping the goals of integrated, high security effectiveness and performance in mind, Check Point chose to provide the option to do passive and active streaming, which provides the best balance of security and optimized performance based on actual usage conditions.

Pattern Matcher - Security modules each have a distinct function and they register with the CMI to receive particular context types.

Parsers - Protocols include HTTP, SMTP, DNS, IMAP, Citrix, and many others. Protocol parser instances register with the streaming engine in order to receive ordered streams of data, both client-to-server (C2S) as well as server-to-client (S2C) streams.

TLS encoder/decoder - encrypt  and decrypt TLS sessions.

Acceleration Card Path

R80.20 acceleration cards provide three new acceleration flows:

  •         Host path
  •         Buffer path
  •         Inline path

 

Host Path - For non acceleration connections (eg. local connections) and connections on non acceleration card interface.

Buffer path - For HTTP requests, HTTP response headers and TLS handshakes.

Inline path - For HTTP response body (until 1st tier match) and TLS bulk encryption/ decryption.

References

R&D meeting Israel

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
16 Replies
Pablo_Montega
Contributor

Are Falcon cards available for pruchase?

Kim_Moberg
Advisor

Awsome Heiko. 


Technical functional descriptions provide one with better understanding of how it works. Keep up with these articles.


Looking forward to see the performance of those cards. Soon the be installed in EA program.


By the way. The 5800 appliance also support the falcon card.



Best Regards
Kim
PhoneBoy
Admin
Admin

Not yet, but check with your local office about participating in the Early Availability program for them.

Note that some of the details here about what the Falcon cards will support in the end may change, but a lot of the architecture to support these cards is present in R80.20.

Rolf_Kaschek
Contributor

Yes it is an intresting overview. Dose this mean  that SecureXL is used on the Falcon cards?

HeikoAnkenbrand
Champion Champion
Champion

Yep, SecureXL runs on acceleration card and host.

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Sandro_Gerdel
Participant

Which appliance is supported for falcon cards.

Cheers,

Sandro

HeikoAnkenbrand
Champion Champion
Champion

Hi Sandro,

see this article:

Falcon Modules and R80.20 

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Don_Paterson
Advisor
Advisor

Any idea when these cards will be available or any updates?

Will they be supported in VSX (R80.20 and 64-bit instances)?

Thanks,

Don

0 Kudos
PhoneBoy
Admin
Admin

The cards are in EA now and are expected to be released in the near future.

Don_Paterson
Advisor
Advisor

Thank you. Can customers still join? I am talking to a customer who is very interested in these cards.

Don_Paterson
Advisor
Advisor

Is the card slated to be supported for VSX in the first GA release?

PhoneBoy
Admin
Admin

Customers can still join the EA, yes--check with your local office.

And, as near as I can tell, they should support VSX.

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Compatible with 5900, 15000 & 23000 Appliance Series

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

I'm testing it on a customer right now.
Is it possible to view the SecureXL settings on the Falcan card? Are there special CLI commands for this?

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Vato_Chantladze
Contributor
Contributor

Hi!

Great post!

The really interesting part is that R80.30 supports additional cipher suites what R80.20 does not. But in case you want to remain OS version but want to upgrade SSL offloading capabilities only, will it be possible to upgrade Falcon drivers for the new cipher suites?

BR

Vato

Daniel_Taney
Advisor

Does anyone know if the current GA release of R80.30 supports these cards natively? Or will the functionality have to be added later via HFA? 

I thought I had read that some HFA for R80.20 introduced support for them. Wasn't sure if this "made it" to R80.30?

R80 CCSA / CCSE

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events