This website uses cookies. By browsing this website, you consent to the use of cookies. Learn more.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Highlighted
shavat_zalpuri
Ivory
‎2019-10-17 12:54 AM

Need help in understanding multi core vpn in r 80.x

Jump to solution

Hi All,

 

It owuuld be great help if you can help me in providing a document which will give me in detail information of multi core vpn in r80.X.

 

Different vpn types and on different cores.

 

Regards,

shavat Zalpuri

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Timothy_Hall
Ruby
‎2019-10-17 05:45 AM

Jump to solution

@Tal_Paz-Fridman gave you the authoritative SK articles for the multicore IPSec VPN feature, and below is an excerpt about it from my Max Power book.  Generally the only direct way you'd even suspect multicore VPN was active would be when taking a capture with fw monitor which would show the new e & E capture points as originally discussed here: https://community.checkpoint.com/t5/Logging-and-Reporting/fw-monitor-inspection-point-e-or-E/m-p/128...

 

 

Spoiler

R80.10: MultiCore IPSec VPN & Route-based VPNs


While the vast majority of network connections can be efficiently balanced across the
available Firewall Worker cores (Run the fw ctl multik stat command and look at
the Connections column to see this in action), there is one glaring exception on R77.30
gateway and earlier: IPSec VPN handling. By default on R77.30, all IPSec-based and
SSL VPN-based encryption and decryption can only take place on the lowest-numbered
Firewall Worker core ( fw_0 ).


I’m pleased to report though that the single-core IPSec VPN limitation in R77.30
gateway has at long last been resolved in R80.10+. IPSec VPN traffic is now balanced
across all Firewall Worker cores by default on R80.10+ gateway. The commands vpn
tu tlist and vpn tu mstats can be used to monitor the state of this new capability.
While it is technically possible to switch off this MultiCore IPSec feature by setting the
kernel variable enable_ipsec_multi_core to zero on R80.10+, doing so is not
supported as explicitly stated here: sk118097: MultiCore Support for IPsec VPN in
R80.10 and above.

 

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com

View solution in original post

0 Kudos
4 Replies
Highlighted
Tal_Paz-Fridman
Employee++
Employee++
‎2019-10-17 01:42 AM

Jump to solution

You can use the following SKs

 

MultiCore Support for IPsec VPN in R80.10 and above

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Advanced Technical Reference Guide: VPN Core

https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGoviewsolutiondetails=&solutionid=...

 

HTH

Tal

Highlighted
Timothy_Hall
Ruby
‎2019-10-17 05:45 AM

Jump to solution

@Tal_Paz-Fridman gave you the authoritative SK articles for the multicore IPSec VPN feature, and below is an excerpt about it from my Max Power book.  Generally the only direct way you'd even suspect multicore VPN was active would be when taking a capture with fw monitor which would show the new e & E capture points as originally discussed here: https://community.checkpoint.com/t5/Logging-and-Reporting/fw-monitor-inspection-point-e-or-E/m-p/128...

 

 

Spoiler

R80.10: MultiCore IPSec VPN & Route-based VPNs


While the vast majority of network connections can be efficiently balanced across the
available Firewall Worker cores (Run the fw ctl multik stat command and look at
the Connections column to see this in action), there is one glaring exception on R77.30
gateway and earlier: IPSec VPN handling. By default on R77.30, all IPSec-based and
SSL VPN-based encryption and decryption can only take place on the lowest-numbered
Firewall Worker core ( fw_0 ).


I’m pleased to report though that the single-core IPSec VPN limitation in R77.30
gateway has at long last been resolved in R80.10+. IPSec VPN traffic is now balanced
across all Firewall Worker cores by default on R80.10+ gateway. The commands vpn
tu tlist and vpn tu mstats can be used to monitor the state of this new capability.
While it is technically possible to switch off this MultiCore IPSec feature by setting the
kernel variable enable_ipsec_multi_core to zero on R80.10+, doing so is not
supported as explicitly stated here: sk118097: MultiCore Support for IPsec VPN in
R80.10 and above.

 

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com

View solution in original post

0 Kudos
Highlighted
shavat_zalpuri
Ivory
‎2019-10-17 06:07 AM

Jump to solution
Could you please send me this sk118097 solution in pdf
0 Kudos
Highlighted
Timothy_Hall
Ruby
‎2019-10-17 06:11 AM

Jump to solution

SK article content is copyrighted and cannot be posted here or sent privately.  Please contact your Check Point SE to determine your support status and they should be able to help you.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos