- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
A few days ago I upgraded a customer from R80.10 to R80.30. They are very pleased with the improvements in SmartView, and also shared this SNMP graph with me of the difference in gateway CPU utilisation. I thought it was worth sharing with you all. See if you can spot what time I completed the upgrade? Quite remarkable! 😀
Hmm, it didn't include the picture! Try again....
SecureXL works more effective here:-)
More see here:
Performance Tuning R80.30 Administration Guide
R80.20 and above:
- SecureXL has been significantly revised in R80.20. It now works in user space. This has also led to some changes in "fw monitor"
- There are new fw monitor chain (SecureXL) objects that do not run in the virtual machine.
- Now SecureXL works in user space. The SecureXL driver takes a certain amount of kernel memory per core and that was adding up to more kernel memory than Intel/Linux was allowing.
- SecureXL supportes now Async SecureXL.
- That's new in acceleration high level architecture (SecureXL on Acceleration Card): Streaming over SecureXL, Lite Parsers, Scalable SecureXL, Acceleration stickiness
- Policy push acceleration on Falcon cards
R80.30 and above:
- In R80.30+, you can also allocate a core for management traffic if you have 8 or more cores licensed, but this is not the default.
- Active streaming for https with full SNI support.
Hi,
this is not our experience We needed to install TAKE_19 due to errors in HTTPS Inspection. After installation of TAKE_19 we experience Memory leaks and still receive "Internal system error in HTTPS Inspection (Error Code: 2)"
So we think that if you use HTTPS Inspection you have to be careful. In performance we do not see a difference.
We run the firewall in cluster. See memory load and cpu (look at scale!) for both units.
Wow that is quite a drop. Are you sure that the reported CPU loads are including total CPU time in all execution modes and not just kernel space (si,hi,sy) as reported by top command? USFW is enabled by default starting in R80.30 regardless of kernel version, so traffic that cannot be fully accelerated by SecureXL is handled by the Firewall workers as fwk processes in process space (us). Needless to say this change will cause a lot more CPU cycles to be expended in user/process space than before and may be skewing the graph.
It is also possible that you have a lot of fragmented traffic in your network, and prior to R80.20 fragmented traffic could not be accelerated at all and would always go F2F/slowpath. That restriction was lifted in R80.20+ due to the extensive changes in SecureXL so that may account for the CPU drop as well.
USFW seems to be on by default in VMWare with 8 cores in R80.30, are the USFW enablement rules different for open hardware vs appliances?
Yeah, thing is I distinctly remember reading or hearing that USFW would only be enabled by default on certain R80.30 gateways with a high number of cores (40+?) and not on all of them. I uncovered that USFW is enabled by default in R80.30 during some research for an upcoming special project. So it is not just you... 🙂
Interesting points, thanks 😀
Hello and thanks for the post.
Have you had an opportunity to confirm the results from SNMP graph do indeed jive with other tools like SmartView, etc. example: use cpview (CLI) to validate SNMP results at individual point in time?
The CPU consumption drop is eye-opening, but it would be good to validate this is not representative of kernel vs user space topics discussed elsewhere in thread.
thanks -GA
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY