Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion
Champion

R81.20 - Performance Tuning Tip - Maestro Fast Forwarding

Maestro offers with R81.20+ a interesting performance features in the future:

Maestro Fastforward (Fast Accel) - Significantly Improved throughput and latency for trusted connections. Maestro Fastforward offloads accept or drop policy rules to the Maestro Hyperscale Orchestrator level for hardware acceleration.

To support high-speed, high-volume transaction environments (e.g. digital trading), Maestro now offers accelerated data paths for higher throughput and lower latency based on predefined rules (“Fast Forwarding”).

Maestro_Fast_Forwarding.jpg


➜ CCSM Elite, CCME, CCTE
6 Replies
genisis__
Advisor

Would I be correct in say that the total concurrent connections would be number of gateways divide by 2 within the Security Group?

0 Kudos
Timothy_Hall
Champion
Champion

Not quite.  As mentioned in the new Maestro Expert R81.10 class now available at many ATCs, the published maximum number of concurrent connections associated with a certain gateway model and its installed RAM must be cut in half for Maestro operation, due to the way Hypersync works.  However if one were to assume that all traffic was NATted through the Maestro security group it would now be 25% of the published maximum.  This is unavoidable and is not dependent on how many gateways are part of the security group.

Example: The Security Gateway appliance 16200 data sheet states that for this gateway with the standard 48GB of RAM, up to 8 million concurrent connections are supported when acting as a regular gateway. With the maximum 128GB of upgraded RAM on a 16200 acting as a standard gateway, up to 32 million concurrent connections are supported.  With fully-loaded RAM in this model,  16 million concurrent connections are supported in a Maestro security group, but only 8 million concurrent if one were to assume all connections were subject to NAT which would not be unrealistic at the Internet boundary.

As the course states, it is strongly recommended to install the maximum amount of RAM if possible on gateways that will be used for Maestro.  It would take awhile to explain why Hypersync causes this effect, but essentially for HyperSync to incur such low overhead and an amazingly miniscule 1% performance penalty for each new gateway added to the security cluster, the big tradeoff is higher memory consumption to keep track of everything.

Watch My 2023 CPX360 Speech Titled "Max Power
Reloaded: R81+ Gateway Performance Innovations"
genisis__
Advisor

Is this the same for R80.20SP as well?  

are there any ATRG papers I can review as I can find this information on the checkpoint site.

0 Kudos
Timothy_Hall
Champion
Champion

Yes I believe the same concurrent connection limits apply to R80.20SP, I don't think Hypersync has changed much fundamentally R80.20SP to R81.10.

The source for the maximum number of concurrent connections under Maestro was taken from this article which is in the Partner community section, and you therefore may not be able to access it:

https://community.checkpoint.com/t5/Partner-Community/Maestro-POC-Best-Practices/m-p/112401

The new official Maestro Expert R81.10 ATC-based course has all this information in the courseware, which pulled together many, many sources for its content.  I know this because the current Maestro Expert R81.10 course offered by ATCs is based on a private 2-day Maestro class I myself created for a very large customer, then Check Point acquired the material and adapted it for the official course we have available today.  The class is the best single source for all the Maestro material out there as of R81.10 because to create the class I had to read through, absorb, and compile the course material from all these sources:

270+ SK articles
300+ CheckMates Maestro-related threads
15 Slide decks from Maestro-based presentations
1000+ pages of official documentation

My company Shadow Peak is not able to run the official Maestro classes going forward due to hardware limitations, so the above is not just a sales pitch for my own benefit.  Give the Maestro Expert R81.10 course material a look, you won't be disappointed and you'll want to attend the class.  @Anatoly @Lari_Luoma care to comment?

Watch My 2023 CPX360 Speech Titled "Max Power
Reloaded: R81+ Gateway Performance Innovations"
0 Kudos
Lari_Luoma
Ambassador
Ambassador

@Timothy_Hall  cannot comment on the material you mentioned as I haven't seen it. We have our own 2 day Maestro workshop and training in Professional Services that we have successfully used to train customers, partners and our internal staff. Benefit of the  this class is that it is constantly being updated and can be customized with customer specific needs if necessary.

0 Kudos
Lari_Luoma
Ambassador
Ambassador

@genisis__ 

Let's talk about the concurrent connections in Maestro.

Disclaimer:
Calculation below is not 100% accurate because of different traffic shapes and sync configurations (not all connections are synchronized, very short lived connections etc.)

DS = Data Sheet number

1 SGM = DS
2 SGMs = the same as with 1 SGM due to active/backup connections synchronizing
3-n SGMs = DS+(n-2) x DS/2

Example:

With maximum memory 7000 appliances has 16 Million connections as a data sheet value for concurrent connections.

With five 7000 appliances in the security group the calculation would be approximately:

16 x (5-2)x16/2 = 40 M

Maximum concurrent connections for 5 x 7000 appliances would be thus about 40 Million.

0 Kudos