Maestro offers with R81.20+ a interesting performance features in the future:
Maestro Fastforward (Fast Accel) - Significantly Improved throughput and latency for trusted connections. Maestro Fastforward offloads accept or drop policy rules to the Maestro Hyperscale Orchestrator level for hardware acceleration.
To support high-speed, high-volume transaction environments (e.g. digital trading), Maestro now offers accelerated data paths for higher throughput and lower latency based on predefined rules (“Fastforward”).
How it works:
Policy
The Administrator marks desired rules to be offloaded to the Orchestrator by giving the applicable rule names a specific prefix (the prefix is configurable). During policy installation, the applicable rules are translated into Access Control Lists (ACLs) and offloaded to the Orchestrator to be enforced on the hardware level.
The offloaded rules are translated into stateless ACLs. Therefore, the offloaded rules are enforced without full stateful inspection capabilities. For TCP connections, for Accept Rules, the SYN packets are sent to the Security Group and Processing is transferred to the MHO via the API for the second packet.
Routing
To accelerate a trusted connection on the Orchestrator at the Layer 3 level (routing), the Orchestrator has to know the networking information of the Security Gateway in order to send the packet through the correct outgoing interface to the correct next hop. The Orchestrator must have the same view of the topology as the Security Gateway. Therefore, the feature replicates the Security Gateway's / Virtual System's routing topology to accelerate traffic at the Orchestrator level. In addition, this logic occurs at the hardware level and is very robust.
Restrictions in version R81.20:
- Fastforward acceleration is not supported for directly connected subnets.
The networks must be connected via router in R81.20.
- Management interface is not supported.
- When accelerating traffic through a bond interface, egress traffic goes out only thrugh one subordinate interface (for each MHO).
- For UDP connections the Security Group does not generate logs (For TCP connections the Security Group generates a
corresponding log)
Supported deployment types:
- Singel site, dual site
- One or two MHO's on a site
- Gateway or VSX (the configuration is for each Virtual System) mode
Enable Fastforward:
1) Connect to the Maestro Security Group via gclish.
2) Configure a prefix for the Access Control rules
> set maestro fastforward rulebase-prefix enable prefix fast_rule
> set maestro fastforward state on
3) Connect with SmartConsole to the Management Server and create a Access Control rules with the prefix you configured earlier.
If your prefix is set to “fast_rule”, for the policy rule names use: “fast_rule_1”, “fast_rule_2”, and so on.
More read here:
R81.20 Admin Guide -> Fastforward
➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips