Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion
Champion

PSL inline vs pipeline?

Jump to solution

Where can I find a R81.10 documentation on what exactly is the difference between PSL inline and PSL pipeline?

PSL_inline_pipeline.JPG


 

1 Solution

Accepted Solutions
Chen_Muchtar
Employee
Employee

Hi,

  • The statistics you’re referring to counts the number of packets passing through the different available packet flows in a Check Point GW
  • SK153832 currently lists the following paths: Firewall path / Slow path (F2F), Medium path (PXL) and Accelerated path
  • On top of that, we have Pipeline processing path – a connection which is handled by more than one CPU (unlike in other paths in which a connection is handled by a dedicated CPU)
    • Would be updated in SK153832 by EOW
    • Preparations for this infra were first introduced over R80.40
    • The project is targeted for R81.20 (would be also ported to several JHFs), its main goal is to allow better utilization of the systems resources to tackle elephant flows scenarios in NGTP env. at first stage (content would be expanding over future releases)
    • Project is due to start EA phase soon (+ dedicated RnD support), feel free to refer me offline per relevant customers/ EA candidates
  • Addressing additional Qs which were raised over this thread:
    • “PSL pipeline” refers to packets passing through Pipeline processing path (mentioned above) and handled by PSL
      • Until the project release, it will always show as 0
    • “PSL inline” refers to the legacy Falcon Cards
      • This flow is deprecated and the statistics will be removed in R81.20 and JHFs
      • This stat will always show as 0 as well

 All, you're always welcome to approach me on any related matter @ Chenmu@checkpoint.com

View solution in original post

11 Replies
Timothy_Hall
Champion
Champion

I don't believe these are documented anywhere, but I think the inline path is only used if a Falcon accelerator card is present; that traffic was handled "inline" by the Falcon card between NIC ports.

The pipeline paths are Check Point's answer to the elephant flow issue of saturating a single core, and is the new feature I was alluding to at the end of my CPX speech on elephant flows.  The pipeline paths first appeared in a Jumbo HFA of R80.40 but were not enabled by default.  The pipeline paths are enabled by default in R81.10 (not sure about R81) and allow the processing of a single connection's packets to be spread across a limited number of worker cores (3 I think).  Not sure if this is only invoked when a worker hits 100% kind of like Priority Queues.

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
HeikoAnkenbrand
Champion
Champion

Hi @Timothy_Hall,

I had already written an article on Falcon Cards "R8x - Security Gateway Architecture (Acceleration Card Offloading)".

Then the PSL inline path must be the "Inline path"???
Then the PSL pipeline must be the "Buffer path" or "Host path"
or "the pipeline paths are Check Point's answer to the elephant flow issue" that you describe???

I don't really understand it.

Can someone from Check Point R&D please answer this.
So that we get a 100% correct statement.

--------------------------------------------------------------------------------------------------------

Here are the paths to the Falcon Cards:

R80.20+ acceleration cards provide three new acceleration flows:

  •         Host path
  •         Buffer path
  •         Inline path

Inline path - For HTTP response body (until 1st tier match) and TLS bulk encryption/ decryption.

S_Inline_PSL.JPG

Buffer path - For HTTP requests, HTTP response headers and TLS handshakes.

S_Host_PSL.JPG

Host Path - For non acceleration connections (eg. local connections) and connections on non acceleration card interface.

S_Host1_PSL.JPG






Timothy_Hall
Champion
Champion

Yeah we need a clarification from R&D on this one.  In the meantime I forgot to add that the inline paths seem to be part of the MUX feature described in this thread:

https://community.checkpoint.com/t5/Security-Gateways/What-does-mux-enabled-kernel-parameter-do-exac...

 

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
udo_kimmich
Explorer

Information from R&D would be very helpful here.
No one understands the paths any more!


0 Kudos
HeikoAnkenbrand
Champion
Champion

Any news from Check Point to this topic?

0 Kudos
PhoneBoy
Admin
Admin

@idants Do you happen to know what these are?

0 Kudos
idants
Employee
Employee

I moved to a new position since then.

Please take it with Chen Muchtar.

0 Kudos
PhoneBoy
Admin
Admin

Sorry about that.
@Chen_Muchtar ?

Chen_Muchtar
Employee
Employee

Hi,

  • The statistics you’re referring to counts the number of packets passing through the different available packet flows in a Check Point GW
  • SK153832 currently lists the following paths: Firewall path / Slow path (F2F), Medium path (PXL) and Accelerated path
  • On top of that, we have Pipeline processing path – a connection which is handled by more than one CPU (unlike in other paths in which a connection is handled by a dedicated CPU)
    • Would be updated in SK153832 by EOW
    • Preparations for this infra were first introduced over R80.40
    • The project is targeted for R81.20 (would be also ported to several JHFs), its main goal is to allow better utilization of the systems resources to tackle elephant flows scenarios in NGTP env. at first stage (content would be expanding over future releases)
    • Project is due to start EA phase soon (+ dedicated RnD support), feel free to refer me offline per relevant customers/ EA candidates
  • Addressing additional Qs which were raised over this thread:
    • “PSL pipeline” refers to packets passing through Pipeline processing path (mentioned above) and handled by PSL
      • Until the project release, it will always show as 0
    • “PSL inline” refers to the legacy Falcon Cards
      • This flow is deprecated and the statistics will be removed in R81.20 and JHFs
      • This stat will always show as 0 as well

 All, you're always welcome to approach me on any related matter @ Chenmu@checkpoint.com

View solution in original post

Timothy_Hall
Champion
Champion

Great explanation, glad to see I was pretty close in my earlier post.  Thanks!

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
_Val_
Admin
Admin

I guess we need a TechTalk about it, @Chen_Muchtar