Hmm, it didn't include the picture!  Try again....

SecureXL works more effective here:-)

More see here:

Performance Tuning R80.30 Administration Guide

R80.20 and above:
- SecureXL has been significantly revised in R80.20. It now works in user space. This has also led to some changes in "fw monitor"
- There are new fw monitor chain (SecureXL) objects that do not run in the virtual machine.
- Now SecureXL works in user space. The SecureXL driver takes a certain amount of kernel memory per core and that was adding up to more kernel memory than Intel/Linux was allowing.
- SecureXL supportes now Async SecureXL.
- That's new in acceleration high level architecture (SecureXL on Acceleration Card): Streaming over SecureXL, Lite Parsers, Scalable SecureXL, Acceleration stickiness
- Policy push acceleration on Falcon cards

R80.30 and above:
- In R80.30+, you can also allocate a core for management traffic if you have 8 or more cores licensed, but this is not the default.
- Active streaming for https with full SNI support.

Hi,

this is not our experience We needed to install TAKE_19 due to errors in HTTPS Inspection. After installation of TAKE_19 we experience Memory leaks and still receive "Internal system error in HTTPS Inspection (Error Code: 2)" 

So we think that if you use HTTPS Inspection you have to be careful. In performance we do not see a difference.

We run the firewall in cluster. See memory load and cpu (look at scale!) for both units. 

Wow that is quite a drop.  Are you sure that the reported CPU loads are including total CPU time in all execution modes and not just kernel space (si,hi,sy) as reported by top command?  USFW is enabled by default starting in R80.30 regardless of kernel version, so traffic that cannot be fully accelerated by SecureXL is handled by the Firewall workers as fwk processes in process space (us).  Needless to say this change will cause a lot more CPU cycles to be expended in user/process space than before and may be skewing the graph.

It is also possible that you have a lot of fragmented traffic in your network, and prior to R80.20 fragmented traffic could not be accelerated at all and would always go F2F/slowpath.  That restriction was lifted in R80.20+ due to the extensive changes in SecureXL so that may account for the CPU drop as well. 

USFW seems to be on by default in VMWare with 8 cores in R80.30, are the USFW enablement rules different for open hardware vs appliances?

Yeah, thing is I distinctly remember reading or hearing that USFW would only be enabled by default on certain R80.30 gateways with a high number of cores (40+?) and not on all of them.  I uncovered that USFW is enabled by default in R80.30 during some research for an upcoming special project.  So it is not just you...  🙂

Interesting points, thanks 😀

Hello and thanks for the post.   

Have you had an opportunity to confirm the results from SNMP graph do indeed jive with other tools like SmartView, etc.   example:  use cpview (CLI) to validate SNMP results at individual point in time? 

The CPU consumption drop is eye-opening, but it would be good to validate this is not representative of kernel vs user space topics discussed elsewhere in thread. 

thanks -GA