Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RoiGershon
Employee
Employee

R82: Parallel Processing Based Packet Flow

📣 Hello CheckMates! 📣

I would like to share some knowledge on the subject of parallel processing with the Check Point GW.

Parallel processing is no news, but this will shed light on how it works. 

Parallel Processing Based Packet Flow in R82 Software V3.jpg

When a packet makes its way to the firewall, it sets off a chain of processes starting from its arrival at the firewall interface, until it is sent to its destination. Do you want to find out what actually happens? This is a document for you.

We're excited to share how we at Check Point are leveraging the power of parallel processing to supercharge packet handling efficiency in our new R82 software release.

Our innovative features, CoreXL and HyperFlow, are designed to maximize the benefits of these multi-core platforms, taking your security operations to the next level.

CoreXL, our performance-enhancing technology, is constantly fine-tuned to make the most of the computational power of modern hardware processing units, and together with Hyperflow, ensures undisrupted parallel processing, no matter the type of the traffic.

 

We hope that this would be helpful and insightful.

Follow us at: https://www.youtube.com/playlist?list=PLMAKXIJBvfAiox1OCCUGcv90oK6N3G1v_

Stay tuned for more insights and updates from Check Point’s TME team! 🔒💻


#TME #Technical Marketing #Parallel Processing #R82

13 Replies
PhoneBoy
Admin
Admin

Good stuff!

the_rock
Legend
Legend

That is super USEFUL @RoiGershon 

Thanks very much.

Andy

0 Kudos
RoiGershon
Employee
Employee

Hi @the_rock , thank you !
Stay tuned as we are about to share a detailed document soon.

the_rock
Legend
Legend

Looking forward to it!

0 Kudos
Timothy_Hall
Legend Legend
Legend

I'll defer my inevitable questions until the details document is released.  😎

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)
Duane_Toler
Advisor

Wow! This is nice!  I'll need more time to digest it, but this looks great.

FXB
Contributor

Great stuff, looks really promising.

I assume that this is - just like Hyperflow - a feature dedicated to quantum firewall appliances and not available on openserver?

RoiGershon
Employee
Employee

Hi @FXB , thank you !

It is available for openserver as well

Gargoyle
Explorer

Hello,

Thank you for the document. Good stuff.

In the provided diagram, I'm trying to understand what exactly are the changes introduced by R82.

I believe that parallel processing is already in place within acceleration layer for some time (we can have multiple SND cores).

So my understanding is that R82 benefit is that DPI can run in multiple sub-processes in parallel instead of single run occupying given fw worker/core. 

If so, are there any dependences? For example I would expect packet streamer / protocol validator always happens first and not in parallel.

Maybe if you can provide diagram also for pre R82 so we can understand the difference/improvement.

Thank you.

0 Kudos
PhoneBoy
Admin
Admin

I don't believe this document is specific to R82.
Part of what is changing is that some functions previously in the kernel are now moving to userspace.
This isn't specific to R82, necessarily, as newer appliances are already implementing UPPAK: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_PerformanceTuning_AdminGuide...
USFW has been around for a while: https://support.checkpoint.com/results/sk/sk167052 

Neither of these changes affect the high-level flow described in the diagram, but the technical implementation will be different.

0 Kudos
RoiGershon
Employee
Employee

Hi @Gargoyle ,

While all connections operate in parallel as shown, each connection requires the packet streamer and protocol validation layers to function initially. This is because the stream data must be obtained in a sequential manner before executing Pattern Matching on it.

0 Kudos
Daniel_
Advisor

Thanks for the picture.

As Linux provides this infrastructure also: Can you compare it to linux implementations or are you using the linux function from the kernel? I'm interested in eBPF and XDP (eXpress Data Path)
https://en.wikipedia.org/wiki/Express_Data_Path

For your vpnf process you are already using bpf (I saw a message on my system "vpnf-3.10.0-957[12116] is installing a program with bpf_probe_write_user helper that may corrupt user memory!"). Does the vpnf protection also work if I have a SmartNIC?

Thanks!

0 Kudos
PhoneBoy
Admin
Admin

I assume this will be addressed in the detailed document that will follow.
Having said that, I know we leverage frameworks built into the Linux kernel for various reasons.

I know from past discussions we were planning to leverage DPDK.
I assume, from error messages I've seen posted on CheckMates recently, that it is being used in our UPPAK (User-Space Performance Pack) implementation.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events