topic Re: Lightspeed Under the Hood TechTalk: Video, Slides, and Q&A in Firewall and Security Management

Lightspeed Under the Hood TechTalk: Video, Slides, and Q&A

PhoneBoy — Thu, 21 Apr 2022 18:21:49 GMT

Here is the video recording:

Selected Q&A below.
Slides are attached.

What features does Lightspeed support on QLS/MLS appliances?

Currently, firewall only without VPN will be accelerated on the SmartNIC. Traffic that utilizes other blades will work the same as it does on other Quantum appliances without SmartNIC acceleration. We will share a list of working features in the initial phase with limitations. In later phases, we will support VPN acceleration and TLS encryption/decryption for SSL Inspection. We plan to support all features in Lightspeed.

Are the MLS appliances specific to Maestro?

QLS appliances can also be used with Maestro as well.

What code release do the QLS/MLS appliances run?

It will be the standard R81.10 release with a standard JHF in the first release, followed by R81.20.

Which QLS can be recommended as a replacement for a 5600?

QLS250 is the smallest appliance offered with the Lightspeed capability.

Are elephant flows an issue?

Firewall only elephant flows will not be an issue as it is accelerated in the SmartNIC.

When is VSX planned to be supported?

Target is Q3 2022.

How does acceleration on the NIC affect troubleshooting tools like tcpdump and fw monitor?

Currently, only tcpdump is supported for capturing packets. All other standard SecureXL troubleshooting should still apply.

Are the SmartNICs available for regular Quantum Security Gateways?

No, only on the QLS and MLS appliances.

Are all Inspection Settings supported in Lightspeed?

Only traffic that is fully accelerated by SecureXL, which would exclude many of the Inspection Settings.

Is there a roadmap to utilize VMware host connectX NICs to be mapped into the Checkpoint VM, so that the CloudGuard gateway could leverage VM Hosts ASICs?

This is under discussion, but no plans just yet.

What is the performance between different Lightspeed SmartNIC cards on the same appliance?

We can only accelerate traffic between ports on the same SmartNIC.

Is there a specification about Firewall Only Flows? For example, CIFS?

Firewall only means all connections that don't require deep packet inspection or additional parson. For example, if DCERPC is defined in the rulebase, we need to run additional protocol parsers and that traffic will not be accelerated. If it is an access rule for TCP port 445, that will will accelerated

If I understand right, the bond interfaces with ports on different cards don't work with full acceleration?

It will eventually be supported with SW hairpining.

How is NAT performed?

It works the same as it does with the regular SecureXL NAT acceleration, based on relevant rules and tables.

How do we view the Lightspeed accelerated flows?

It's the same as it is for regular SecureXL flows.

What is the target release for the SSL acceleration on QLS/MLS?

We are working on the integration with Nvidia and do not have a final date yet.

Are hit counters still available for security policy & nat policy for accelerated traffic?

Yes, as this information comes from SecureXL.

Is there any plan to integrate rulebase offloading or high-session rate protection into the SmartNIC cards?

Yes.

First packet will always go F2F for rulebase lookup, so no accept templating at Lightspeed level?

Correct, it should happen at the SIM driver (SecureXL) level.

Are there plans for Identity Awareness LDAP based rules to be supported by this?

This is already supported.

Are 1GB ports supported?

10GB ports support 1GB speeds, however this is not supported in the initial release.

Is it possible to manually drop an accelerated connection? (similar to: fw tab -t connections -x <VALUES>)

Yes.

Re: Lightspeed Under the Hood TechTalk: Video, Slides, and Q&A

Ruan_Kotze — Thu, 21 Apr 2022 06:35:52 GMT

Unfortunately I couldn't make the session yesterday, so I will post my question here:-)

Is the DLP blade supported? On the product catalogue I cannot add the blade and I see it's also not listed on the datasheet.

Re: Lightspeed Under the Hood TechTalk: Video, Slides, and Q&A

Nik_Bloemers — Thu, 21 Apr 2022 12:12:16 GMT

Is the video working for anyone? For me it just shows 'This video is currently being processed. Please try again in a few minutes.', but it's been like that for the last 6 hours.

Re: Lightspeed Under the Hood TechTalk: Video, Slides, and Q&A

Chris_Atkinson — Thu, 21 Apr 2022 12:17:15 GMT

Not currently, least not in an accelerated manner.

Re: Lightspeed Under the Hood TechTalk: Video, Slides, and Q&A

Ruan_Kotze — Thu, 21 Apr 2022 12:36:22 GMT

Thanks Chris, I understand that it would not be accelerated, but is it supported at all?

Re: Lightspeed Under the Hood TechTalk: Video, Slides, and Q&A

PhoneBoy — Thu, 21 Apr 2022 13:20:30 GMT

Traffic the SmartNIC cannot accelerate will be handled the same as it is on a regular Quantum appliance.
It will work but won’t be accelerated by the SmartNIC.

Re: Lightspeed Under the Hood TechTalk: Video, Slides, and Q&A

Ruan_Kotze — Thu, 21 Apr 2022 13:43:47 GMT

Appreciate the feedback! My questioned stemmed from the fact that I could not add the DLP blade as an option when building out a quote using the product catalog - looks like that is a glitch in there as opposed to a technical limitation, will reach out to the sales team.

Re: Lightspeed Under the Hood TechTalk: Video, Slides, and Q&A

Timothy_Hall — Thu, 21 Apr 2022 13:52:16 GMT

How does acceleration on the NIC affect troubleshooting tools like tcpdump and fw monitor?

Currently, only fw monitor is supported for capturing packets. All other standard SecureXL troubleshooting should still apply.

Isn't the correct answer to this question tcpdump and not fw monitor (either -e or -F) and not cppcap?

Re: Lightspeed Under the Hood TechTalk: Video, Slides, and Q&A

PhoneBoy — Thu, 21 Apr 2022 14:39:29 GMT

You're correct, I'll fix.

Re: Lightspeed Under the Hood TechTalk: Video, Slides, and Q&A

Martin_Raska — Thu, 26 Jan 2023 11:24:34 GMT

Hello,

could you please confirm this from admin guide:

The NVIDIA ConnectX 100G QSFP28 Ports accelerate the connections in hardware when packets are received on one NVIDIA ConnectX 100G QSFP28 Port and destined to go out another NVIDIA ConnectX 100G QSFP28 Port.

so traffic is accelerated only between two ports of NVIDIA card? Bond of those ports is supported?

And is supported to use QSFP+ 40Gb/s in NVIDIA card? The customer requires 40Gb not 100Gb.