This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
biskit
Advisor
‎2019-08-15 03:03 AM

R80.30 - A Good News Story

A few days ago I upgraded a customer from R80.10 to R80.30.  They are very pleased with the improvements in SmartView, and also shared this SNMP graph with me of the difference in gateway CPU utilisation.  I thought it was worth sharing with you all.  See if you can spot what time I completed the upgrade?  Quite remarkable! 😀

 
11 Replies
biskit
Advisor
‎2019-08-15 03:04 AM

Hmm, it didn't include the picture!  Try again....

 

Untitled.png

 

HeikoAnkenbrand
Champion Champion
Champion
‎2019-08-15 03:18 AM
In response to biskit

SecureXL works more effective here:-)

More see here:

Performance Tuning R80.30 Administration Guide

R80.20 and above:
- SecureXL has been significantly revised in R80.20. It now works in user space. This has also led to some changes in "fw monitor"
- There are new fw monitor chain (SecureXL) objects that do not run in the virtual machine.
- Now SecureXL works in user space. The SecureXL driver takes a certain amount of kernel memory per core and that was adding up to more kernel memory than Intel/Linux was allowing.
- SecureXL supportes now Async SecureXL.
- That's new in acceleration high level architecture (SecureXL on Acceleration Card): Streaming over SecureXL, Lite Parsers, Scalable SecureXL, Acceleration stickiness
- Policy push acceleration on Falcon cards

R80.30 and above:
- In R80.30+, you can also allocate a core for management traffic if you have 8 or more cores licensed, but this is not the default.
- Active streaming for https with full SNI support.

 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Erik26
Explorer
‎2019-08-20 03:08 AM
In response to biskit

Hi,

this is not our experience We needed to install TAKE_19 due to errors in HTTPS Inspection. After installation of TAKE_19 we experience Memory leaks and still receive "Internal system error in HTTPS Inspection (Error Code: 2)" 

So we think that if you use HTTPS Inspection you have to be careful. In performance we do not see a difference.

We run the firewall in cluster. See memory load and cpu (look at scale!) for both units. 

R80.30_TAKE_19_1.jpg

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-08-15 06:42 AM

Wow that is quite a drop.  Are you sure that the reported CPU loads are including total CPU time in all execution modes and not just kernel space (si,hi,sy) as reported by top command?  USFW is enabled by default starting in R80.30 regardless of kernel version, so traffic that cannot be fully accelerated by SecureXL is handled by the Firewall workers as fwk processes in process space (us).  Needless to say this change will cause a lot more CPU cycles to be expended in user/process space than before and may be skewing the graph.

It is also possible that you have a lot of fragmented traffic in your network, and prior to R80.20 fragmented traffic could not be accelerated at all and would always go F2F/slowpath.  That restriction was lifted in R80.20+ due to the extensive changes in SecureXL so that may account for the CPU drop as well. 

 

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
PhoneBoy
Admin
Admin
‎2019-08-15 11:37 AM
In response to Timothy_Hall

USFW is only enabled by default for specific appliances (ones with 40+ cores), not in general--at least not yet.
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-08-15 12:11 PM
In response to PhoneBoy

USFW seems to be on by default in VMWare with 8 cores in R80.30, are the USFW enablement rules different for open hardware vs appliances?

 

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
PhoneBoy
Admin
Admin
‎2019-08-15 12:19 PM
In response to Timothy_Hall

Two different SKs clearly say it's on by default on R80.30 (sk93000 and sk149973).
I was just flat out wrong in this case 😬
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-08-15 01:38 PM
In response to PhoneBoy

Yeah, thing is I distinctly remember reading or hearing that USFW would only be enabled by default on certain R80.30 gateways with a high number of cores (40+?) and not on all of them.  I uncovered that USFW is enabled by default in R80.30 during some research for an upcoming special project.  So it is not just you...  🙂

 

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
biskit
Advisor
‎2019-08-15 01:40 PM
In response to Timothy_Hall

Interesting points, thanks 😀

0 Kudos
Garrett_DirSec
Advisor
‎2019-08-16 03:14 PM

Hello and thanks for the post.   

Have you had an opportunity to confirm the results from SNMP graph do indeed jive with other tools like SmartView, etc.   example:  use cpview (CLI) to validate SNMP results at individual point in time? 

The CPU consumption drop is eye-opening, but it would be good to validate this is not representative of kernel vs user space topics discussed elsewhere in thread. 

thanks -GA

0 Kudos
Dor_Marcovitch
Advisor
‎2019-12-01 11:51 PM
In response to Garrett_DirSec

which kernel have you used on the GWs ?
gaia 3.1 or gaia 2.6 ?
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top