cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Need help in understanding multi core vpn in r 80.x

Jump to solution

Hi All,

 

It owuuld be great help if you can help me in providing a document which will give me in detail information of multi core vpn in r80.X.

 

Different vpn types and on different cores.

 

Regards,

shavat Zalpuri

0 Kudos
1 Solution

Accepted Solutions

Re: Need help in understanding multi core vpn in r 80.x

Jump to solution

@Tal_Paz-Fridman gave you the authoritative SK articles for the multicore IPSec VPN feature, and below is an excerpt about it from my Max Power book.  Generally the only direct way you'd even suspect multicore VPN was active would be when taking a capture with fw monitor which would show the new e & E capture points as originally discussed here: https://community.checkpoint.com/t5/Logging-and-Reporting/fw-monitor-inspection-point-e-or-E/m-p/128...

 

 

Spoiler

R80.10: MultiCore IPSec VPN & Route-based VPNs


While the vast majority of network connections can be efficiently balanced across the
available Firewall Worker cores (Run the fw ctl multik stat command and look at
the Connections column to see this in action), there is one glaring exception on R77.30
gateway and earlier: IPSec VPN handling. By default on R77.30, all IPSec-based and
SSL VPN-based encryption and decryption can only take place on the lowest-numbered
Firewall Worker core ( fw_0 ).


I’m pleased to report though that the single-core IPSec VPN limitation in R77.30
gateway has at long last been resolved in R80.10+. IPSec VPN traffic is now balanced
across all Firewall Worker cores by default on R80.10+ gateway. The commands vpn
tu tlist and vpn tu mstats can be used to monitor the state of this new capability.
While it is technically possible to switch off this MultiCore IPSec feature by setting the
kernel variable enable_ipsec_multi_core to zero on R80.10+, doing so is not
supported as explicitly stated here: sk118097: MultiCore Support for IPsec VPN in
R80.10 and above.

 

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

View solution in original post

0 Kudos
4 Replies
Employee++
Employee++

Re: Need help in understanding multi core vpn in r 80.x

Jump to solution

You can use the following SKs

 

MultiCore Support for IPsec VPN in R80.10 and above

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Advanced Technical Reference Guide: VPN Core

https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGoviewsolutiondetails=&solutionid=...

 

HTH

Tal

Re: Need help in understanding multi core vpn in r 80.x

Jump to solution

@Tal_Paz-Fridman gave you the authoritative SK articles for the multicore IPSec VPN feature, and below is an excerpt about it from my Max Power book.  Generally the only direct way you'd even suspect multicore VPN was active would be when taking a capture with fw monitor which would show the new e & E capture points as originally discussed here: https://community.checkpoint.com/t5/Logging-and-Reporting/fw-monitor-inspection-point-e-or-E/m-p/128...

 

 

Spoiler

R80.10: MultiCore IPSec VPN & Route-based VPNs


While the vast majority of network connections can be efficiently balanced across the
available Firewall Worker cores (Run the fw ctl multik stat command and look at
the Connections column to see this in action), there is one glaring exception on R77.30
gateway and earlier: IPSec VPN handling. By default on R77.30, all IPSec-based and
SSL VPN-based encryption and decryption can only take place on the lowest-numbered
Firewall Worker core ( fw_0 ).


I’m pleased to report though that the single-core IPSec VPN limitation in R77.30
gateway has at long last been resolved in R80.10+. IPSec VPN traffic is now balanced
across all Firewall Worker cores by default on R80.10+ gateway. The commands vpn
tu tlist and vpn tu mstats can be used to monitor the state of this new capability.
While it is technically possible to switch off this MultiCore IPSec feature by setting the
kernel variable enable_ipsec_multi_core to zero on R80.10+, doing so is not
supported as explicitly stated here: sk118097: MultiCore Support for IPsec VPN in
R80.10 and above.

 

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

View solution in original post

0 Kudos

Re: Need help in understanding multi core vpn in r 80.x

Jump to solution
Could you please send me this sk118097 solution in pdf
0 Kudos

Re: Need help in understanding multi core vpn in r 80.x

Jump to solution

SK article content is copyrighted and cannot be posted here or sent privately.  Please contact your Check Point SE to determine your support status and they should be able to help you.

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos