cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Admin
Admin

Security Gateway Performance Optimization Excerpt

(view in My Videos)

Full video, available to CheckMates members: Security Gateway Performance Optimization with Tim Hall Video 

28 Replies
Ali_Korkmaz
Nickel

Re: Security Gateway Performance Optimization Excerpt

Hello,

This video does not work, is there another link? 

0 Kudos

Re: Security Gateway Performance Optimization Excerpt

This is a 2 minute teaser. The full video link is mentioned above as well

0 Kudos
Ali_Korkmaz
Nickel

Re: Security Gateway Performance Optimization Excerpt

I tried  link of full video but it did not work.  You can view the video? 

0 Kudos

Re: Security Gateway Performance Optimization Excerpt

Yes, the video is available and works all right. It is in the members exclusive section, so please make sure you are logged in when watching. If it is still not working for you, please clean your browser cache and try again.

0 Kudos
Ali_Korkmaz
Nickel

Re: Security Gateway Performance Optimization Excerpt

Firstly thanks for your quick reply. I am logged to community with my account on my phone. Might be this video not suitable for phone? 

0 Kudos

Re: Security Gateway Performance Optimization Excerpt

Should work there either. Clear the cache or try later.

0 Kudos
Admin
Admin

Re: Security Gateway Performance Optimization Excerpt

What kind of phone do you have?

It seems to be ok on my iPhone at least.

0 Kudos
Ali_Korkmaz
Nickel

Re: Security Gateway Performance Optimization Excerpt

I have Xiaomi 6. I have try with different two browser but does not work. 

0 Kudos
Admin
Admin

Re: Security Gateway Performance Optimization Excerpt

I initially had an issue with my Samsung S8+ getting the video to start playing.

After refreshing the page, it seems to work now.

0 Kudos
Ali_Korkmaz
Nickel

Re: Security Gateway Performance Optimization Excerpt

I think the problem is related embedded video player on my phone. Thnks all. 

Re: Security Gateway Performance Optimization Excerpt

Try this link

Video Link : 7987 

0 Kudos

Re: Security Gateway Performance Optimization Excerpt

On R80.10 I get an extra line:

QXL pkts/Total pkts : 0/46011886447 (0%)

We are not using QoS so that 0 is no surprise.

But it wasn't mentioned in the talks.

0 Kudos

Re: Security Gateway Performance Optimization Excerpt

Good point, Hugo van der Kooij‌. Timothy Hall‌, any comments?

0 Kudos

Re: Security Gateway Performance Optimization Excerpt

The QoS blade is rarely enabled and the QXL path will only show nonzero values when that blade is actually used.  Heiko Ankenbrand‌ and I discussed this topic here: https://community.checkpoint.com/message/28463 

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: Security Gateway Performance Optimization Excerpt

Thanks Tim

0 Kudos

Re: Security Gateway Performance Optimization Excerpt

Thanks Timothy for the presentation.

Regards

Heiko

Re: Security Gateway Performance Optimization Excerpt

What I notice more and more in the last years is CPAS (Active Streaming). It always works through the F2F path. With increased https, the firewall workers are more and more stressed if https inspection is enabled. Timothy you describe it very well in your book. Check Point Active Streaming active streaming allow the changing of data and play the role of “man in the middle”. Several protocols uses CPAS, for example: Client Authentication, VoIP (SIP, Skinny/SCCP, H.323, etc.), Data Leak Prevention (DLP) blade, Security Servers processes, etc. I think it's not to be underestimated in tuning.

Regards

Heiko

Re: Security Gateway Performance Optimization Excerpt

Well it looks like the Medium Path (PXL) has been split into 2 separate paths called CPASXL and PSLXL in R80.20 gateway based on this screenshot I just took in my lab, so for the first time we will be able to easily see stats about utilization of CPAS vs PSL:

also in R80.20 we can now see actual statistics for the PXL path which will certainly help "demystify" it to some degree:

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: Security Gateway Performance Optimization Excerpt

The video is not working, any other link pls

0 Kudos
Highlighted

Re: Security Gateway Performance Optimization Excerpt

Video is fine, check your player settings

0 Kudos

Re: Security Gateway Performance Optimization Excerpt

I am afraid this statement is incorrect: "...CPAS (Active Streaming). It always works through the F2F path." It is and always been qualified as PXL. What IS correct in your comment is that streaming is done by FW instance, although handshake packets go via SND acceleration.

0 Kudos

Re: Security Gateway Performance Optimization Excerpt

Just to clarify terminology here. Both passive and active streaming are qualified as PXL. The tool give you better split between those two, but it does not qualify as two new paths suddenly appearing out of nowhere 🙂

We are talking about improved reporting for different parts of PXL here

0 Kudos

Re: Security Gateway Performance Optimization Excerpt

I was under the impression that the F2F path is a superset of PXL as they are both handled on a Firewall Worker core, so CPAS and PSL can be applied to traffic in either path.  The firewall will attempt to use PXL first if it can as it is more efficient, but I think it can still do the same operations in F2F if the packet is fragmented or some other condition makes the traffic go F2F.  As noted in earlier threads there is limited documentation for and visibility into PXL.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos

Re: Security Gateway Performance Optimization Excerpt

Well, your understanding is correct. 

We call FW Path a situation when 100% of the packets in the session are handled by kernel instances.

SXL is another extreme, when all or all but the first packet are handled by SecureXL

PXL is a situation when a connection is opened and closed through SXL but data stream is handled by FW kernel instance. In a sense, PXL is a combination of two. You can only define PXL when talking about sessions and connections. On per packet basis, it is always FW path or SXL

Re: Security Gateway Performance Optimization Excerpt

Valeri I agree here full with Timothy's comment:
As noted in earlier threads there is limited documentation for and visibility into PXL.

No man in this world really understands the PXL paths in the depths. Can you please publish here a document with the description! Every Check Point technician, customer etc. tells me a different story about the PXL paths. I think we all want to understand that to 100%.

I'm starting to get in a bad mood about this.

I have been trying for 3 months to describe this in my drawing (R80.x Security Gateway Architecture (Logical Packet Flow) ) and notice that there is a huge resonance here. I just wonder why nobody at Check Point does that??

 

We should all understand that and not always have a black spot in the room.

I just want to understand it and not just get info in bits and pieces.

Regards

Heiko

Re: Security Gateway Performance Optimization Excerpt

We have had this discussion before, Heiko Ankenbrand. Check Point does have documentation for packet flow, acceleration, etc. You are referenced them in your own documents here on CheckMates. I was providing you assistance for the mentioned document and the diagrams. 

I can only repeat myself by saying that treating PXL as a separate per packet flow is a mistake. PXL terminology only make sense when you talk about sessions and connections.

Timothy Hall‌ is a very good illustration that there are some people outside of Check Point with in depth understanding of the subject. 

R80.20 is the new product, and it brings new CLI tools, code improvement and further visibility into acceleration and streaming statistics. As it is new, it will take a bit of work to get all relevant SecureKnowledge articles and documentation.

I suggest you to hold making changes on your packet flow and other documents before relevant documentation is available. 

We are also preparing a meeting with platforms and acceleration developers during your visit to HQ where you will be able to discuss topics of your interest and receive the info first hand. 

Re: Security Gateway Performance Optimization Excerpt

Thanks for the answer.

I am waiting for exactly these documents from Check Point.

I think it's very good that you are planning this.

Regards

Heiko

Re: Security Gateway Performance Optimization Excerpt

Trust me, you will work VERY hard here 🙂