Thats good point, for sure...sometimes, as crazy as it sounds, but 8 cores might not be enough to solve elephant flows problem.

This is a solution in search of a problem (that doesn't exist).

If they honor DSCP PHB like they should, as per RFC-4594, then downstream devices can mark exceeding packets as CS1 and then FloodGate can just rate that at 10mbps.  Deal with the problem at the source, like RFC-4594 says.  "Mark as close to the source as possible".  Likewise, if a clever user tries to mark their packets as EF, that's a problem best-handled by the downstream switches.  They should be remarking incoming frames absolutely and not trust DSCP or CoS.

If the topology table already considers non-external interfaces as "trusted", then what's the problem?  Are those interfaces trusted or not?  "External" topology interfaces should have the option to trust DSCP or not (default to untrusted, but give the option to trust; there's a LOT more DSCP on the network than one may realize, including ECN, and it works).  Seems like Check Point is not honoring RFC-4594.

Are you sure you are responding to the right thread? Does not look like it.

HyperFlow boosts elephant flow by processing it on multiple cores in parallel, a minimum of 8 cores is required to allow optimal resource management of the system.

Openserver support will be addressed in future JHFs

Is / will VSX be supported aswell?

regards,
Magnus

Yes, VSX is supported 

awesome! will it require 8 vs instances or how is it "enabled" when it comes to VSX?

The requirement in VSX is 6 FWK cores, not instances

Question:

When you say 8 cores, do you mean 8 worker cores?  If so, this in affect would mean an appliance/openserver with more then 8 cores is required as clearly SND cores would need to be factored in.  This would then imply that we would require a minimum 10 cores, including SNDs.

So absolutely this is great milestone, but we are talking highend appliances could realistically benefit from this.

Hyperflow 2.0 ... objective, get this down to a minimum of 3 worker cores, and 1 SND 😉

8 logical cores, in this case:
w/o HyperFlow: 2 SNDs, 6 FW instances
w/ HyperFlow: 2 SNDs, 2 PPE MGR, 2 PPEs, 2 FW instances

The assumption is way too liberal. 😀

Similar to Dynamic Balancing, HyperFlow can be available with 8 or more cores, as @Chen_Muchtar already mentioned

Will checkpoint plan to address this on lower end appliances?  In most cases people would have 52, 62, 64 or even 6600 appliances where elephant flows are more likely to be seen (again making an assumption here).

All with 8 or more CPUs. I actually misread your statement and thought you were talking about SP series.

Not an assumption, seen it happen before. Though, not too often, but does happen.

Regardless of amount of CPUs, we consider an elephant flow a.k.a. a heavy connection when:

• Specific instance CPU is over 60%
• Suspected connection lasts more than 10 seconds
• Suspected connection utilises more than 50% of the total work the instance does

As an example, for a single FWK instance, if it runs 60% of utilization, one single connection should be taking 30% or more. The "classic" cases are: DB replication, backups, VM migrations, and other data transfers between one source and one destination IPs.

The first condition of overall 60% CPU utilization is indeed more common to the situations where your appliance already is running high CPUs. However, you can also have that situation happening on a machine with many cores, where just one of them is too busy, and others are mostly idle. The recent example from today's community thread is here.

Just a few cores, or many of them, one specific FWK is suffering from a massive data transfer all the same. Before HyperFlow, we had Priority Queues and fast_access to work those issues around, now can leverage multiple CPUs for a single connection. With is, in my book, HUGE.

Maestro is supported 

Agreed and great questions!

This leads me to ask if CPAS (Active Streaming) and security blade/malware detection is handled with Hyperflow?

I currently have a customer that shows zdebug drops when trying to download very large files. TAC case in progress.

PPE worker is capable to process hash of large files for AV blade in order to detect malware.

If CPAS is active over heavy connection supported by HyperFlow, and AV blade is enabled, the Hash calculation will be performed by PPE.

Tom - feel free to contact me offline @ chenmu@checkpoint.com to review your customer env. for this matter  

We should first separate between the FW instance handling the connection, and HyperFlow cores doing DPI processing. The only thing that is being shared between each FW instance and HyperFlow cores is relevant data for the DPI jobs to be processed in parallel.

Streaming and blade logic layer is still being handled by the FW instance owning the connection.

Packet flow design description:

-      This example showcases a single data packet flow

-      In this case, FW instance 1 is the connection owner

-      PPE Manager dispatches DPI jobs to PPE workers

-      Once the last job is done, a message is sent to FW, notifying that the DPI processing has been completed, allowing it to continue to outbound processing

-      PPE Manager can dispatch jobs to any PPE worker, even for the same connection, allowing multiple buffer’s jobs of the same connection to be processed concurrently

o    For example, multiple PM jobs of different buffers of the same connection can run concurrently on different PPE workers

Regarding FW monitor, it is a networking focused tool (output can be parsed by wireshark, for example), as such, it is built to work with packets as a whole.
Since HyperFlow works at the parser level, which dissects the TCP data into different segments, it uses other monitoring tools, such as connection tracker.

It would be really nice to release a video demoing this from setup

What setup? HyperFlow, similar to Dynamic Balancing, is automated, and works out of the box with 8 or more cores.

Hi @Chen_Muchtar,

Thanks for the detailed description.
👍

Yes