Re: R82: Parallel Processing Based Packet Flow

RoiGershon · ‎2024-09-26

📣 Hello CheckMates! 📣

I would like to share some knowledge on the subject of parallel processing with the Check Point GW.

Parallel processing is no news, but this will shed light on how it works.

When a packet makes its way to the firewall, it sets off a chain of processes starting from its arrival at the firewall interface, until it is sent to its destination. Do you want to find out what actually happens? This is a document for you.

We're excited to share how we at Check Point are leveraging the power of parallel processing to supercharge packet handling efficiency in our new R82 software release.

Our innovative features, CoreXL and HyperFlow, are designed to maximize the benefits of these multi-core platforms, taking your security operations to the next level.

CoreXL, our performance-enhancing technology, is constantly fine-tuned to make the most of the computational power of modern hardware processing units, and together with Hyperflow, ensures undisrupted parallel processing, no matter the type of the traffic.

We hope that this would be helpful and insightful.

Follow us at: https://www.youtube.com/playlist?list=PLMAKXIJBvfAiox1OCCUGcv90oK6N3G1v_

Stay tuned for more insights and updates from Check Point’s TME team! 🔒💻

#TME #Technical Marketing #Parallel Processing #R82

PhoneBoy · ‎2024-09-26

Good stuff!

the_rock · ‎2024-09-26

That is super USEFUL @RoiGershon

Thanks very much.

Andy

RoiGershon · ‎2024-09-26

Hi @the_rock , thank you !
Stay tuned as we are about to share a detailed document soon.

the_rock · ‎2024-09-26

Looking forward to it!

Timothy_Hall · ‎2024-09-26

I'll defer my inevitable questions until the details document is released. 8)

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Duane_Toler · ‎2024-09-30

Wow! This is nice! I'll need more time to digest it, but this looks great.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

FXB · ‎2024-10-01

Great stuff, looks really promising.

I assume that this is - just like Hyperflow - a feature dedicated to quantum firewall appliances and not available on openserver?

RoiGershon · ‎2024-10-01

Hi @FXB , thank you !

It is available for openserver as well

Gargoyle · ‎2024-10-01

Hello,

Thank you for the document. Good stuff.

In the provided diagram, I'm trying to understand what exactly are the changes introduced by R82.

I believe that parallel processing is already in place within acceleration layer for some time (we can have multiple SND cores).

So my understanding is that R82 benefit is that DPI can run in multiple sub-processes in parallel instead of single run occupying given fw worker/core.

If so, are there any dependences? For example I would expect packet streamer / protocol validator always happens first and not in parallel.

Maybe if you can provide diagram also for pre R82 so we can understand the difference/improvement.

Thank you.

PhoneBoy · ‎2024-10-01

I don't believe this document is specific to R82.
Part of what is changing is that some functions previously in the kernel are now moving to userspace.
This isn't specific to R82, necessarily, as newer appliances are already implementing UPPAK: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_PerformanceTuning_AdminGuide...
USFW has been around for a while: https://support.checkpoint.com/results/sk/sk167052

Neither of these changes affect the high-level flow described in the diagram, but the technical implementation will be different.

RoiGershon · ‎2024-10-06

Hi @Gargoyle ,

While all connections operate in parallel as shown, each connection requires the packet streamer and protocol validation layers to function initially. This is because the stream data must be obtained in a sequential manner before executing Pattern Matching on it.

Daniel_ · ‎2024-10-10

Thanks for the picture.

As Linux provides this infrastructure also: Can you compare it to linux implementations or are you using the linux function from the kernel? I'm interested in eBPF and XDP (eXpress Data Path)
https://en.wikipedia.org/wiki/Express_Data_Path

For your vpnf process you are already using bpf (I saw a message on my system "vpnf-3.10.0-957[12116] is installing a program with bpf_probe_write_user helper that may corrupt user memory!"). Does the vpnf protection also work if I have a SmartNIC?

Thanks!

PhoneBoy · ‎2024-10-11

I assume this will be addressed in the detailed document that will follow.
Having said that, I know we leverage frameworks built into the Linux kernel for various reasons.

I know from past discussions we were planning to leverage DPDK.
I assume, from error messages I've seen posted on CheckMates recently, that it is being used in our UPPAK (User-Space Performance Pack) implementation.

Are you a member of CheckMates?

R82: Parallel Processing Based Packet Flow