This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Highlighted
HeikoAnkenbrand
Champion
Champion
‎2019-08-15 08:40 AM

Update R80.20+ Security Gateway Architecture (Logical Packet Flow)

Chapter

More interesting articles:

- R80.x Architecture and Performance Tuning - Link Collection
- Article list (Heiko Ankenbrand)

Flowchart news in R80.20 and above


SecureXL has been significantly revised in R80.20. This has also led to some changes in "fw monitor". There are new fw monitor chain (SecureXL) objects that do not run in the virtual machine.

Now SecureXL works in part in user space. The SecureXL driver takes a certain amount of kernel memory per core and that was adding up to more kernel memory than Intel/Linux was allowing. The packet flow in R80.20+ is a little bit different from the flow lower than R80.20. Now it is possible to use async SecureXL and other new functions. This figure shows the new features with the reinjection of SecureXL packages. SecureXL supportes now also Async SecureXL with Falcon cards. That's new in acceleration high level architecture (SecureXL on Acceleration Card): Streaming over SecureXL, Lite Parsers, Scalable SecureXL, Acceleration stickiness...

More informations here: R80.x Security Gateway Architecture (Logical Packet Flow)

Whats new in R80.20+:

Now there are several SecureXL instances possible. As a result, packets are reinjected with the new SecureXL ID into the correct SecureXL instance again after they have been allowed by access template or rule set. After the packet has been reinjected, the SecureXL ID is added to the SecureXL connetion table and the packet is forwarded to the correct SecureXL instance. Therefore the flow is slightly different to older version before R80.20. This new mechanism also offers the possibility to transfer packets into a new SecureXL instance on Falcon cards.

R80.20 Logical Packet Flow 0.1b.JPG

PXL vs. PSLXL - Technology name for combination of SecureXL and PSL. PXL was renamed to PSLXL in R80.20. This is from my point of view the politically correct better term.

For the new acceleration Falcon card architecture with R80.20+ and SecureXL offloading read this article:

R80.x Security Gateway Architecture (Acceleration Card Offloading):

17 Replies
Highlighted
PhoneBoy
Admin
Admin
‎2019-08-15 11:39 AM

"fort he" typo in the middle of the diagram.
0 Kudos
Highlighted
HeikoAnkenbrand
Champion
Champion
‎2019-08-15 11:42 AM

THX @PhoneBoy,

I'll change tomorrow in the next version.

Tags (1)
Highlighted
Daniel_Hainich
Collaborator
‎2019-08-16 01:17 AM

there is also "thw" in top securexl matching.
0 Kudos
Highlighted
HeikoAnkenbrand
Champion
Champion
‎2019-08-16 12:08 PM

Hi @PhoneBoyHi @Daniel_Hainich 

THX is changed.

Tags (1)
Highlighted
Ziv_Zander
Explorer
‎2019-08-16 07:33 AM

Typos aren't a problem. The content is important.

And I think that is brilliant information from @HeikoAnkenbrand.

Highlighted
HeikoAnkenbrand
Champion
Champion
‎2019-08-16 12:12 PM

I also added the paths (Slow Path, Medium Path and Fast Path)  marked in color.

Tags (1)
Highlighted
HeikoAnkenbrand
Champion
Champion
‎2019-08-17 01:20 AM

Now there are several SecureXL instances possible. As a result, packets are reinjected with the new SecureXL ID into the correct SecureXL instance again after they have been allowed by access template or rule set. After the packet has been reinjected, the SecureXL ID is added to the SecureXL connettion table and the packet is forwarded to the correct SecureXL instance. Therefore the flow is slightly different to older version before R80.20. This new mechanism also offers the possibility to transfer packets into a new SecureXL instance on Falcon cards.

Tags (1)
Highlighted
F__Rahama
Participant
‎2019-08-19 01:40 AM

Why packets reinjection with the neu SecureXL ID into the correct SecureXl instance is needed?

0 Kudos
Highlighted
Timothy_Hall
Champion
Champion
‎2019-08-19 04:55 AM

Starting in R80.20 there can be more than one instance of SecureXL present on the gateway, but the only way you can have this situation is if a Falcon card is present (which is essentially another instance of SecureXL running on the card itself).  If a packet is received by the "wrong" instance of SecureXL on a gateway, it is forwarded to the correct instance and the packet is counted as a "correction" in the output of commands like fwaccel stats -s.

 

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
Highlighted
HeikoAnkenbrand
Champion
Champion
‎2019-08-19 11:52 PM

Yes @Timothy_Hall  describes this well, from R80.20 there are correction flows. They forward the packet to the correct SecureXL instance. 

Through reinjection, the packet is tagged with the correct SecureXL ID and then forwarded to the appropriate SecureXL instance. This is now also described in the new R80.30 document Performance Tuning R80.30 Administration Guide.

 

 

Tags (1)
Highlighted
HeikoAnkenbrand
Champion
Champion
‎2019-08-20 12:24 AM

Here is a picture from a LAB appliance with corrected packet flow:

SexureXL_correction.PNG

 
 
Tags (1)
Highlighted
James_Heueck
Participant
‎2019-08-20 03:56 AM

Great info.

Highlighted
Bidwell_Britta
Participant
‎2019-08-24 02:51 AM

Nice update.

Highlighted
Vitaly_C_
Participant
‎2019-09-05 12:06 PM

😀

Highlighted
Tsvika_Gilman
Contributor
‎2019-11-12 05:42 AM

Nice informaton update!

0 Kudos
Highlighted
R2D2
Participant
‎2020-04-16 11:12 PM

Is this CCSE exam relevant?

0 Kudos
Highlighted
_Val_
Admin
Admin
‎2020-04-17 12:35 AM

Technically speaking, no. However, this helps with understanding of technology. That said, I advise you to stick with official documentation and course textbooks for certification

0 Kudos