- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: R82: Parallel Processing Based Packet Flow
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
R82: Parallel Processing Based Packet Flow
📣 Hello CheckMates! 📣
I would like to share some knowledge on the subject of parallel processing with the Check Point GW.
Parallel processing is no news, but this will shed light on how it works.
When a packet makes its way to the firewall, it sets off a chain of processes starting from its arrival at the firewall interface, until it is sent to its destination. Do you want to find out what actually happens? This is a document for you.
We're excited to share how we at Check Point are leveraging the power of parallel processing to supercharge packet handling efficiency in our new R82 software release.
Our innovative features, CoreXL and HyperFlow, are designed to maximize the benefits of these multi-core platforms, taking your security operations to the next level.
CoreXL, our performance-enhancing technology, is constantly fine-tuned to make the most of the computational power of modern hardware processing units, and together with Hyperflow, ensures undisrupted parallel processing, no matter the type of the traffic.
We hope that this would be helpful and insightful.
Follow us at: https://www.youtube.com/playlist?list=PLMAKXIJBvfAiox1OCCUGcv90oK6N3G1v_
Stay tuned for more insights and updates from Check Point’s TME team! 🔒💻
#TME #Technical Marketing #Parallel Processing #R82
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good stuff!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @the_rock , thank you !
Stay tuned as we are about to share a detailed document soon.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looking forward to it!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll defer my inevitable questions until the details document is released. 😎
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wow! This is nice! I'll need more time to digest it, but this looks great.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great stuff, looks really promising.
I assume that this is - just like Hyperflow - a feature dedicated to quantum firewall appliances and not available on openserver?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @FXB , thank you !
It is available for openserver as well
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thank you for the document. Good stuff.
In the provided diagram, I'm trying to understand what exactly are the changes introduced by R82.
I believe that parallel processing is already in place within acceleration layer for some time (we can have multiple SND cores).
So my understanding is that R82 benefit is that DPI can run in multiple sub-processes in parallel instead of single run occupying given fw worker/core.
If so, are there any dependences? For example I would expect packet streamer / protocol validator always happens first and not in parallel.
Maybe if you can provide diagram also for pre R82 so we can understand the difference/improvement.
Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't believe this document is specific to R82.
Part of what is changing is that some functions previously in the kernel are now moving to userspace.
This isn't specific to R82, necessarily, as newer appliances are already implementing UPPAK: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_PerformanceTuning_AdminGuide...
USFW has been around for a while: https://support.checkpoint.com/results/sk/sk167052
Neither of these changes affect the high-level flow described in the diagram, but the technical implementation will be different.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Gargoyle ,
While all connections operate in parallel as shown, each connection requires the packet streamer and protocol validation layers to function initially. This is because the stream data must be obtained in a sequential manner before executing Pattern Matching on it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the picture.
As Linux provides this infrastructure also: Can you compare it to linux implementations or are you using the linux function from the kernel? I'm interested in eBPF and XDP (eXpress Data Path)
https://en.wikipedia.org/wiki/Express_Data_Path
For your vpnf process you are already using bpf (I saw a message on my system "vpnf-3.10.0-957[12116] is installing a program with bpf_probe_write_user helper that may corrupt user memory!"). Does the vpnf protection also work if I have a SmartNIC?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume this will be addressed in the detailed document that will follow.
Having said that, I know we leverage frameworks built into the Linux kernel for various reasons.
I know from past discussions we were planning to leverage DPDK.
I assume, from error messages I've seen posted on CheckMates recently, that it is being used in our UPPAK (User-Space Performance Pack) implementation.