This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
pkroupod
Employee
Employee
‎2019-09-22 06:31 PM
Jump to solution

Difference between the Secure Network Distributor (SND) and CoreXL Dynamic dispatcher?

Can someone please give a clear explanation, what is the difference between the Secure Network Distributor (SND) and CoreXL Dynamic dispatcher?

1 Solution

Accepted Solutions
pkroupod
Employee
Employee
‎2019-09-24 07:17 PM
Jump to solution

The SND performs acceleration of traffic and if traffic is not accelerated then the SND will dispatch the traffic to the firewall workers, each having their own firewall kernel instance. The SND will distribute traffic evenly based on the amount of connections, however, it may not evenly distribute the load as some connections are "heavier" than others. I believe the heaviness is based on the bit rate value, I will need to verify that. The dynamic dispatcher will be aware of how heavy the connections are, so it will better distribute the load to each firewall worker. To recap, the SND thinks that the load should be distributed based on the amount of connections, but that's not true, because some connections are heavier than others. This is where dynamic dispatcher comes to the rescue.

View solution in original post

(1)
5 Replies
Martin_Valenta
Advisor
‎2019-09-23 01:10 AM
Jump to solution

Great question from employee..
(1)
G_W_Albrecht
Legend Legend
Legend
‎2019-09-23 01:28 AM
Jump to solution

Already has been answered in sk105261: CoreXL Dynamic Dispatcher in R77.30 / R80.10 and above

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Black_Cyborg
Participant
‎2019-09-23 01:50 AM
Jump to solution

Read this article form @HeikoAnkenbrand:

R80.x Security Gateway Architecture (Logical Packet Flow)

Timothy_Hall
Legend Legend
Legend
‎2019-09-23 07:30 AM
Jump to solution

The best way to explain the difference is to list the responsibilities of cores designated as SND and cores designated as Firewall Instances/Workers.  This information is for R80.10 and earlier:

  • SND/IRQ Core: SXL/Accelerated path packet handling, Accept Template (Connection Rate Acceleration) initial formation, NAT template initial formation (if enabled), Dynamic Dispatcher, Multi-Queue, SoftIRQ processing, antispoofing enforcement
  • Firewall Worker Core: Throughput Acceleration Path Determination (SXL/PXL/F2F), PXL path packet handling, F2F path packet handling, Priority Queues (if enabled), Rule base evaluations/matching, QXL path packet handling, virtual reassembly of IP fragments, antispoofing enforcement, Geo Policy enforcement

Due to the big changes in SecureXL, R80.20 and later is, uh, different.  I have an initial guess of the separation of duties but am still verifying it.

 

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
pkroupod
Employee
Employee
‎2019-09-24 07:17 PM
Jump to solution

The SND performs acceleration of traffic and if traffic is not accelerated then the SND will dispatch the traffic to the firewall workers, each having their own firewall kernel instance. The SND will distribute traffic evenly based on the amount of connections, however, it may not evenly distribute the load as some connections are "heavier" than others. I believe the heaviness is based on the bit rate value, I will need to verify that. The dynamic dispatcher will be aware of how heavy the connections are, so it will better distribute the load to each firewall worker. To recap, the SND thinks that the load should be distributed based on the amount of connections, but that's not true, because some connections are heavier than others. This is where dynamic dispatcher comes to the rescue.

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events