Slides are linked below with Q&A.
Is Hyperflow Supported with Maestro and/or VSX?
Yes to both.
Hyperflow requires at least 8 cores. Is there a solution when you have less cores?
With less cores available, there are less opportunity to allocate cores without negatively impacting other traffic. However, it can be enabled if GNAT is enabled (see sk165153), which is disabled by default on machines with less than 8 cores.
Has there been any real world feed back of this technology?
Yes, we're constantly monitoring the feature and observed both a throughput increase and reduction of CPU spikes.
What Appliances are Supported?
As of this writing:
- All models in these series: 7000, 15000, 16000, 23000, 26000 and 28000
- 5000 series: 5600, 5800 and 5900
- 6000 series: 6200T, 6400, 6500, 6600, 6700, 6800 and 6900
The 3000 Series appliances are not supported at this stage.
What About Open Servers or Gateways on AWS/Azure/GCP
Not at this stage.
Note that support on Open Servers will require an RFE with your local Check Point office.
Is this supported on Quantum Spark appliances, particularly the 1600/1800 appliances?
Not currently.
How does Hyperflow combine with ClusterXL regarding session sync?
The session/connection is still handled by the FW worker, which syncs the connection to the other members, hence HyperFlow has no impact on the sync operation.
Doesn't the PPE also handle Hash calculations for Abot? Or is it just PM?
Hash (AV) for supported protocols is also handled in HyperFlow
What is the order of packet handling?
The streaming layer create a data stream which allow the DPI layer to see the data in order.
Is there a way to ensure that a number of cores are not used Hyperflow to protect against using too many cores for a large flow?
Dynamic Balancing controls the HyperFlow's PPE threads, and periodically samples the system to ensure the total throughput of the system will be prioritized over the Elephant Flow.
Does HyperFlow also affect/enhance Fast Acceleration traffic?
No, HyperFlow is able to accelerate only Medium path connections. This means that traffic that stays largely in the Accelerated path will not be accelerated by this feature. For VPN traffic, this means the encryption/decryption won't be accelerated, but any deeper inspection that occurs in Medium Path can be accelerated.
Quik support?
We currently don’t support QUIC inspection (even outside of Hyperflow). This is on the roadmap.
Any other hidden flags for print_heavy_conns other than --pretty? That was cool.
The --pretty flag will be integrated in the upcoming R81.20 JHFs. There will also be flags proving more information on the heavy connection. All of those will be documented in the relevant SK.
Does QoS/Shaping work with Hyperflow?
QoS does work with HyperFlow
Can this help with SMB/CIFS traffic?
Not currently, it is on the short term roadmap.
Didn't the pipeline paths appear in a R80.40 Jumbo HFA? Can they be enabled with TAC's help in earlier versions prior to R81.20?
It was related to Kernel FW feature which came before HyperFlow. The feature was later deprecated.