This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
shavat_zalpuri
Explorer
‎2019-10-17 12:54 AM
Jump to solution

Need help in understanding multi core vpn in r 80.x

Hi All,

 

It owuuld be great help if you can help me in providing a document which will give me in detail information of multi core vpn in r80.X.

 

Different vpn types and on different cores.

 

Regards,

shavat Zalpuri

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2019-10-17 05:45 AM
Jump to solution

@Tal_Paz-Fridman gave you the authoritative SK articles for the multicore IPSec VPN feature, and below is an excerpt about it from my Max Power book.  Generally the only direct way you'd even suspect multicore VPN was active would be when taking a capture with fw monitor which would show the new e & E capture points as originally discussed here: https://community.checkpoint.com/t5/Logging-and-Reporting/fw-monitor-inspection-point-e-or-E/m-p/128...

 

 

Click to Expand

R80.10: MultiCore IPSec VPN & Route-based VPNs


While the vast majority of network connections can be efficiently balanced across the
available Firewall Worker cores (Run the fw ctl multik stat command and look at
the Connections column to see this in action), there is one glaring exception on R77.30
gateway and earlier: IPSec VPN handling. By default on R77.30, all IPSec-based and
SSL VPN-based encryption and decryption can only take place on the lowest-numbered
Firewall Worker core ( fw_0 ).


I’m pleased to report though that the single-core IPSec VPN limitation in R77.30
gateway has at long last been resolved in R80.10+. IPSec VPN traffic is now balanced
across all Firewall Worker cores by default on R80.10+ gateway. The commands vpn
tu tlist and vpn tu mstats can be used to monitor the state of this new capability.
While it is technically possible to switch off this MultiCore IPSec feature by setting the
kernel variable enable_ipsec_multi_core to zero on R80.10+, doing so is not
supported as explicitly stated here: sk118097: MultiCore Support for IPsec VPN in
R80.10 and above.

 

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

0 Kudos
4 Replies
Tal_Paz-Fridman
Employee
Employee
‎2019-10-17 01:42 AM
Jump to solution

You can use the following SKs

 

MultiCore Support for IPsec VPN in R80.10 and above

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Advanced Technical Reference Guide: VPN Core

https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGoviewsolutiondetails=&solutionid=...

 

HTH

Tal

Timothy_Hall
Legend Legend
Legend
‎2019-10-17 05:45 AM
Jump to solution

@Tal_Paz-Fridman gave you the authoritative SK articles for the multicore IPSec VPN feature, and below is an excerpt about it from my Max Power book.  Generally the only direct way you'd even suspect multicore VPN was active would be when taking a capture with fw monitor which would show the new e & E capture points as originally discussed here: https://community.checkpoint.com/t5/Logging-and-Reporting/fw-monitor-inspection-point-e-or-E/m-p/128...

 

 

Click to Expand

R80.10: MultiCore IPSec VPN & Route-based VPNs


While the vast majority of network connections can be efficiently balanced across the
available Firewall Worker cores (Run the fw ctl multik stat command and look at
the Connections column to see this in action), there is one glaring exception on R77.30
gateway and earlier: IPSec VPN handling. By default on R77.30, all IPSec-based and
SSL VPN-based encryption and decryption can only take place on the lowest-numbered
Firewall Worker core ( fw_0 ).


I’m pleased to report though that the single-core IPSec VPN limitation in R77.30
gateway has at long last been resolved in R80.10+. IPSec VPN traffic is now balanced
across all Firewall Worker cores by default on R80.10+ gateway. The commands vpn
tu tlist and vpn tu mstats can be used to monitor the state of this new capability.
While it is technically possible to switch off this MultiCore IPSec feature by setting the
kernel variable enable_ipsec_multi_core to zero on R80.10+, doing so is not
supported as explicitly stated here: sk118097: MultiCore Support for IPsec VPN in
R80.10 and above.

 

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
shavat_zalpuri
Explorer
‎2019-10-17 06:07 AM
In response to Timothy_Hall
Jump to solution

Could you please send me this sk118097 solution in pdf
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-10-17 06:11 AM
In response to shavat_zalpuri
Jump to solution

SK article content is copyrighted and cannot be posted here or sent privately.  Please contact your Check Point SE to determine your support status and they should be able to help you.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events