- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Multiqueue without Secreuxl
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multiqueue without Secreuxl
Dear all,
Due to some service impact reason we have to disable securexl in our customer production network, to improve network performance we turned on multiqueue on some interfaces, accord to some documents and SK I know multiqueue is only relevant with securexl enabled, but I know multiqueue is linux thing not check point proprietary, so we really don't have any benefit to turn multiqueue on with securexl off?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Gateway version and Jumbo HFA level? The answer will depend quite a bit on this piece of information...
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
All R80.20 with jumbo hotfix take 118.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In R80.10 and earlier, SecureXL had to be enabled to use Multi-Queue due to the interaction with SecureXL automatic interface affinity, which would poll interface load every 60 seconds and shuffle interfaces around that did not have Multi-Queue enabled on the various SND/IRQ/Dispatcher cores trying to balance the load.
Automatic interface affinity as it was performed in R80.10 and earlier is gone in R80.20 and later due to the big architectural changes in SecureXL, and even when you turn off SecureXL in R80.20 and later, it is not really completely disabled quite like it was in R80.10 and earlier. If you have SecureXL disabled with fwaccel off in R80.20+ due to your issue, yes you most definitely want to keep using Multi-Queue and it will still work. If you can disable SecureXL selectively as described in these SKs that is always preferable to just turning it all off:
sk104468: How to disable SecureXL for specific IP addresses
sk151114: "fwaccel off" does not affect disabling acceleration of VPN tunnels in R80.20 and above
Starting in R80.30 with Gaia kernel 3.10, Multi-Queue is enabled by default on all interfaces except the management interface.
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Mr. Hall,
Thanks for your reply, it really helps, unfortunately sk104468 won't do the trick becasue it's CDN service, we can't not predcit which ip address would be used.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you know which port(s) the CDN is using? If so you can use the little-known tcp_f2f_ports directive mentioned in that SK to force certain ports F2F regardless of IP address.
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's https connections so I think disable that port is almost equals to disable all traffic get int to securexl.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Okay I'll try to explain this with my poor English.
As you can see the below topology:
Client is using Firewall PBR and transparent proxy for internet access.
All client's http/https traficc will go through core switch->CP15600 then F5, F5 will distribute web service to proxy servers, then proxy will do the internet service for clients.
Most of web pages are ok, except this import one:
https://www.tycc.gov.tw/LiveVideo/history.aspx
It's a live videos history link, you may click on any square to see one of Taiwan parilament live stream backup, from the source code of any video clip, you can see the video was uploaded to the following link:
jwplayer("__CCDNPlayer1081118").setup({
'width':'100%',
'height':'100%',
file: "https://flv.ccdntech.com/vod/_definst_/mp4:vod166/vod166_Live/20191118105959_live_dms.mp4/playlist.m3u8?wowzaplaystart=1795000",
autostart:true,
With PBR+transparent proxy, most of clients can't replay this videos, they tried so many times only 1 or 2 times can display.
If traffic is not going through F5(No proxy), everything is fine, but that's not allowed.
It client using explicit proxy(Manually configured on browser), everything is fine, but that's not impossible, they claimed former firewall(Fortigate) don't need to do that.
If I turned off securexl, everything is fine, that's what they can accept, but I'm afraid of I/O issue so I turned on multiqueue and give 2 more cores to snd(There are 16 cores on CP15600).
Any better idea would be appreciated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As this is a deep SecureXL PBR issue, what is the statement from TAC / R&D here ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Specifically because disabling SecureXL should never be the solution to a problem.