Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion Champion
Champion

How does the Medium Path (PXL) and Content Inspection work with R80

 

What is the exact processing of the flow with CoreXL and SecureXL? How are the packages processed here?

 

Q: Why this question?
A: There are several articles in the forum that currently discuss this thema.

 

References to the articles:

Check Point Threat Prevention Packet Flow and Architecture - 09-04-2017 (Moti Sagey )

R80.x Security Gateway Architecture (Logical Packet Flow) - 07-28-2018 ( Heiko Ankenbrand )

Simplified Packet Flow document - 08-06-2018 ( Valeri Loukine )

Security Gateway Packet Flow and Acceleration - with Diagrams - 08-06.2018 (Valeri Loukine )

 

References to SK's:

SecureKnowledge: SecureXL 

SecureKnowledge: CoreXL 

 

To avoid confusing all users, I think we should clarify this in this article.

Thanks in advance

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
33 Replies
Costello_Sean
Explorer

I realized it was a bit of a streatch when I mentioned it, and I completely understand that limits need to be placed or information over flow will occur.  

And yes the code base itself if for the most part not CP so it's almost a fringe component in that regard as well.

With all that being said, it is also one of the single most significant tuning point that exist under load testing.  Shifting cores between SXL and CXL along with their affinity is a majority of the tuning process on a 64k. Sans locating misconfigurations, policy optimization and undocumented features it is the tuning process for 10GbE installations.

Given its importance, I had thought that noting its place in the chart night be worthy.  As a logical diagram I would only assume some leway would be given to not require multiple cores.

I also understand the need for keeping it simple.

-src

 

Sean Costello
Network Security Professional
SRC & Associates

HeikoAnkenbrand
Champion Champion
Champion

Hi,

I Agree with Costello Sean in many points. I like the 61K/64K systems and I am happy if I get a project. If we talk about 64K systems, we get one more level into the game. We would also have to discuss the connection between SSM and SGM. This happens via Distribution Mode (dxl). After this statement we could talk about 64K tunning. Let's do this in the 64K section of this checkmates forum. I think it's good! I think that would go beyond the scope of this article.

---

Timothy Hall has already mentioned some good points!

CUT>>>

...

9)SoftIRQ run begins on SND/IRQ core

10) Process frames from ring buffer(s) and send to all registered receivers (i.e. SND, libpcap if tcpdump running)

11) Continue SoftIRQ run until all ring buffers are empty, maximum number of frames specified by net.core.netdev_budget (default 300) is reached, or two jiffies of time have elapsed

12) SoftIRQ run ends

<<<CUT

But what happens next? We should get back to the original theme:

How does the Medium Path (PXL) and Content Inspection work?

 

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
HeikoAnkenbrand
Champion Champion
Champion

It is possible to debug the PSL path with „fw ctl zdebug + tcpstr“. I am not sure if you see 100% from PXL path with this command.

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
_Val_
Admin
Admin

Not 100%
One can see streaming decision and security decisions returned by the parsers

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events