Here is the video recording:
Selected Q&A below.
Slides are attached.
What features does Lightspeed support on QLS/MLS appliances?
Currently, firewall only without VPN will be accelerated on the SmartNIC. Traffic that utilizes other blades will work the same as it does on other Quantum appliances without SmartNIC acceleration. We will share a list of working features in the initial phase with limitations. In later phases, we will support VPN acceleration and TLS encryption/decryption for SSL Inspection. We plan to support all features in Lightspeed.
Are the MLS appliances specific to Maestro?
QLS appliances can also be used with Maestro as well.
What code release do the QLS/MLS appliances run?
It will be the standard R81.10 release with a standard JHF in the first release, followed by R81.20.
Which QLS can be recommended as a replacement for a 5600?
QLS250 is the smallest appliance offered with the Lightspeed capability.
Are elephant flows an issue?
Firewall only elephant flows will not be an issue as it is accelerated in the SmartNIC.
When is VSX planned to be supported?
Target is Q3 2022.
How does acceleration on the NIC affect troubleshooting tools like tcpdump and fw monitor?
Currently, only tcpdump is supported for capturing packets. All other standard SecureXL troubleshooting should still apply.
Are the SmartNICs available for regular Quantum Security Gateways?
No, only on the QLS and MLS appliances.
Are all Inspection Settings supported in Lightspeed?
Only traffic that is fully accelerated by SecureXL, which would exclude many of the Inspection Settings.
Is there a roadmap to utilize VMware host connectX NICs to be mapped into the Checkpoint VM, so that the CloudGuard gateway could leverage VM Hosts ASICs?
This is under discussion, but no plans just yet.
What is the performance between different Lightspeed SmartNIC cards on the same appliance?
We can only accelerate traffic between ports on the same SmartNIC.
Is there a specification about Firewall Only Flows? For example, CIFS?
Firewall only means all connections that don't require deep packet inspection or additional parson. For example, if DCERPC is defined in the rulebase, we need to run additional protocol parsers and that traffic will not be accelerated. If it is an access rule for TCP port 445, that will will accelerated
If I understand right, the bond interfaces with ports on different cards don't work with full acceleration?
It will eventually be supported with SW hairpining.
How is NAT performed?
It works the same as it does with the regular SecureXL NAT acceleration, based on relevant rules and tables.
How do we view the Lightspeed accelerated flows?
It's the same as it is for regular SecureXL flows.
What is the target release for the SSL acceleration on QLS/MLS?
We are working on the integration with Nvidia and do not have a final date yet.
Are hit counters still available for security policy & nat policy for accelerated traffic?
Yes, as this information comes from SecureXL.
Is there any plan to integrate rulebase offloading or high-session rate protection into the SmartNIC cards?
Yes.
First packet will always go F2F for rulebase lookup, so no accept templating at Lightspeed level?
Correct, it should happen at the SIM driver (SecureXL) level.
Are there plans for Identity Awareness LDAP based rules to be supported by this?
This is already supported.
Are 1GB ports supported?
10GB ports support 1GB speeds, however this is not supported in the initial release.
Is it possible to manually drop an accelerated connection? (similar to: fw tab -t connections -x <VALUES>)
Yes.
