Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

How does the Medium Path (PXL) and Content Inspection work with R80

 

What is the exact processing of the flow with CoreXL and SecureXL? How are the packages processed here?

 

Q: Why this question?
A: There are several articles in the forum that currently discuss this thema.

 

References to the articles:

Check Point Threat Prevention Packet Flow and Architecture - 09-04-2017 (Moti Sagey )

R80.x Security Gateway Architecture (Logical Packet Flow) - 07-28-2018 ( Heiko Ankenbrand )

Simplified Packet Flow document - 08-06-2018 ( Valeri Loukine )

Security Gateway Packet Flow and Acceleration - with Diagrams - 08-06.2018 (Valeri Loukine )

 

References to SK's:

SecureKnowledge: SecureXL 

SecureKnowledge: CoreXL 

 

To avoid confusing all users, I think we should clarify this in this article.

Thanks in advance

Heiko

33 Replies
Highlighted
Explorer

I realized it was a bit of a streatch when I mentioned it, and I completely understand that limits need to be placed or information over flow will occur.  

And yes the code base itself if for the most part not CP so it's almost a fringe component in that regard as well.

With all that being said, it is also one of the single most significant tuning point that exist under load testing.  Shifting cores between SXL and CXL along with their affinity is a majority of the tuning process on a 64k. Sans locating misconfigurations, policy optimization and undocumented features it is the tuning process for 10GbE installations.

Given its importance, I had thought that noting its place in the chart night be worthy.  As a logical diagram I would only assume some leway would be given to not require multiple cores.

I also understand the need for keeping it simple.

-src

 

Sean Costello
Network Security Professional
SRC & Associates

Highlighted

Hi,

I Agree with Costello Sean in many points. I like the 61K/64K systems and I am happy if I get a project. If we talk about 64K systems, we get one more level into the game. We would also have to discuss the connection between SSM and SGM. This happens via Distribution Mode (dxl). After this statement we could talk about 64K tunning. Let's do this in the 64K section of this checkmates forum. I think it's good! I think that would go beyond the scope of this article.

---

Timothy Hall has already mentioned some good points!

CUT>>>

...

9)SoftIRQ run begins on SND/IRQ core

10) Process frames from ring buffer(s) and send to all registered receivers (i.e. SND, libpcap if tcpdump running)

11) Continue SoftIRQ run until all ring buffers are empty, maximum number of frames specified by net.core.netdev_budget (default 300) is reached, or two jiffies of time have elapsed

12) SoftIRQ run ends

<<<CUT

But what happens next? We should get back to the original theme:

How does the Medium Path (PXL) and Content Inspection work?

 

Regards

Heiko

Highlighted

It is possible to debug the PSL path with „fw ctl zdebug + tcpstr“. I am not sure if you see 100% from PXL path with this command.

Regards,

Heiko

Highlighted
Admin
Admin

Not 100%
One can see streaming decision and security decisions returned by the parsers