This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
pkroupod
Employee
Employee
‎2019-09-22 06:31 PM

Difference between the Secure Network Distributor (SND) and CoreXL Dynamic dispatcher?

Jump to solution

Can someone please give a clear explanation, what is the difference between the Secure Network Distributor (SND) and CoreXL Dynamic dispatcher?

1 Solution

Accepted Solutions
pkroupod
Employee
Employee
‎2019-09-24 07:17 PM

Jump to solution

The SND performs acceleration of traffic and if traffic is not accelerated then the SND will dispatch the traffic to the firewall workers, each having their own firewall kernel instance. The SND will distribute traffic evenly based on the amount of connections, however, it may not evenly distribute the load as some connections are "heavier" than others. I believe the heaviness is based on the bit rate value, I will need to verify that. The dynamic dispatcher will be aware of how heavy the connections are, so it will better distribute the load to each firewall worker. To recap, the SND thinks that the load should be distributed based on the amount of connections, but that's not true, because some connections are heavier than others. This is where dynamic dispatcher comes to the rescue.

View solution in original post

5 Replies
Martin_Valenta
Advisor
‎2019-09-23 01:10 AM

Jump to solution
Great question from employee..
G_W_Albrecht
Champion
Champion
‎2019-09-23 01:28 AM

Jump to solution

Already has been answered in sk105261: CoreXL Dynamic Dispatcher in R77.30 / R80.10 and above

0 Kudos
Black_Cyborg
Participant
‎2019-09-23 01:50 AM

Jump to solution

Read this article form @HeikoAnkenbrand:

R80.x Security Gateway Architecture (Logical Packet Flow)

Timothy_Hall
Champion
Champion
‎2019-09-23 07:30 AM

Jump to solution

The best way to explain the difference is to list the responsibilities of cores designated as SND and cores designated as Firewall Instances/Workers.  This information is for R80.10 and earlier:

  • SND/IRQ Core: SXL/Accelerated path packet handling, Accept Template (Connection Rate Acceleration) initial formation, NAT template initial formation (if enabled), Dynamic Dispatcher, Multi-Queue, SoftIRQ processing, antispoofing enforcement
  • Firewall Worker Core: Throughput Acceleration Path Determination (SXL/PXL/F2F), PXL path packet handling, F2F path packet handling, Priority Queues (if enabled), Rule base evaluations/matching, QXL path packet handling, virtual reassembly of IP fragments, antispoofing enforcement, Geo Policy enforcement

Due to the big changes in SecureXL, R80.20 and later is, uh, different.  I have an initial guess of the separation of duties but am still verifying it.

 

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
pkroupod
Employee
Employee
‎2019-09-24 07:17 PM

Jump to solution

The SND performs acceleration of traffic and if traffic is not accelerated then the SND will dispatch the traffic to the firewall workers, each having their own firewall kernel instance. The SND will distribute traffic evenly based on the amount of connections, however, it may not evenly distribute the load as some connections are "heavier" than others. I believe the heaviness is based on the bit rate value, I will need to verify that. The dynamic dispatcher will be aware of how heavy the connections are, so it will better distribute the load to each firewall worker. To recap, the SND thinks that the load should be distributed based on the amount of connections, but that's not true, because some connections are heavier than others. This is where dynamic dispatcher comes to the rescue.

View solution in original post