This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HeikoAnkenbrand
Champion Champion
Champion
‎2022-02-05 02:55 AM

Quantum Lightspeed Packet Flow

The new Quantum Lightspeed firewalls are much better in performance because they use NVIDIA ASIC's.

Now the question is, how is the packet flow through the NVIDIA interface vs. firewall?
Is SecuerXL already a part of the NVIDIA ASIC's and if so, how does it work technically?

Security Gateway does not support these features when you install a NVIDIA 2-port 100G Card:

- ClusterXL in the Load Sharing mode or Active-Active mode.
- VSX mode
- SecureXL Drop Templates (see sk153832).
- VRRP Cluster.
- Rate Limiting rules for DoS Mitigation configured with the commands 'fwaccel dos deny' and 'fwaccel dos allow' (see sk112454).

These restrictions indicate that the packet flow during acceleration is no longer forwarded to the firewall software (SecureXL or CoreXL) in the case of optimisation but passes directly through the ASIC.

Are there detailed descriptions of the packet flow here?
How is the support for Multi Queueing?
How does the packet flow work ASIC vs. SND?

Nothing is described in the Quantum Lightspeed manuals:
NVIDIA 2-port 100G QSFP28 ConnectX Dual-Width Network Card Administration Guide 
sk176466 - Check Point LightSpeed Appliances  
Check Point LightSpeed Appliances Getting Started Guide
Check Point LightSpeed Appliances Quick Start Guide


➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
6 Replies
Timothy_Hall
Legend Legend
Legend
‎2022-02-06 06:33 AM

Yes I'd like to see those answers as well Heiko, and also what processing paths can be completely handled by the NVidia ASICs?  The SXL/Accelerated path is probably a given, but what about the Medium Path (PXL)?  Active Streaming Path (CPAS)?

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)
HeikoAnkenbrand
Champion Champion
Champion
‎2022-02-06 10:35 AM
In response to Timothy_Hall

If I have understood correctly, the optimisation only works via the NVidia ASICs if the interface is used on the same network carrier card. Thus, only two interfaces can be used for ASIC acceleration. Traffic over several carrier cards should work as usual.

There are still some unanswered questions here!

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
genisis__
Leader Leader
Leader
‎2022-02-06 11:56 AM
In response to HeikoAnkenbrand

Would I be right is saying only firewall blade is supported...currently?

The one thing that needs to be in ASIC is https inspection.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-02-06 03:12 PM
In response to genisis__

Correct, today the NVIDIA 2-port 100G Cards support only the Firewall Software Blade on the Security Gateway / Cluster Members per the first link shared by Heiko.

Encryption functions/scenarios are certainly a use case that we're looking at for the next phase.

CCSM R77/R80/ELITE
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2022-02-06 10:48 PM
In response to Chris_Atkinson

This limits the use somewhat. If we also consider that the following do not work.

Security Gateway does not support these features when you install a NVIDIA 2-port 100G Card:
  -IPv6 traffic (do not enable the IPv6 support in Gaia on the host appliance).
  - ClusterXL in the Load Sharing mode or Active-Active mode.
  - VSX mode.
  - SecureXL Drop Templates (see sk153832).
  - Rate Limiting rules for DoS Mitigation configured with the commands 'fwaccel dos deny' and 'fwaccel dos allow' (see sk112454).
  - Jumbo Frames.
  - NAT64.
  - 802.1Q Tunneling (Q-in-Q).
  - VRRP Cluster.

Bond Interfaces:
  - To create a Bond Interface that accelerates traffic, you must use the physical ports of the same NVIDIA 2-port 100G Card.
  - When you change the state of one physical port in a Bond Interface to down / up, the other physical port in the Bond Interface also changes its state to down / up.

 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
_Val_
Admin
Admin
‎2022-02-06 11:59 PM

Documentation is in works, we will provide info later on. Also, a couple of TechTalks are planned for the latests performance features. Till then, please be patient. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events