Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Timothy_Hall
Legend Legend
Legend

R80.40 Addendum for "Max Power 2020" Now Available!

Hi Everyone,

At long last the R80.40 addendum for my book "Max Power 2020: Check Point Firewall Performance Optimization" is available for free download at http://www.maxpowerfirewalls.com.  30+ pages of updates for version R80.40, along with new tips and tricks for getting the most out of your firewall!

I'd like to thank Check Point R&D, @_Val_ , @PhoneBoy, and @Robert_Elliott for reviewing portions of the addendum to ensure accuracy and completeness.  Thanks and enjoy!

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
10 Replies
HeikoAnkenbrand
Champion Champion
Champion

Hi @Timothy_Hall,

is a very helpful and interesting book. 👍
I can recommend it to everyone.

Thanks
Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Danny
Champion Champion
Champion

Thanks for all your efforts keeping the book up-to-date. 👍

0 Kudos
Timothy_Hall
Legend Legend
Legend

The addendum has been out just 2 days and already needs an update, sigh...

Note that the long-term fix for the TLS parser being inappropriately invoked with certain blade combinations has just been fixed in R80.40 Jumbo HFA Take 78+; this was referenced in the update for p. 239 of the book in the addendum.  This fix is also going to be backported into R80.20 and R80.30 Jumbo HFAs as well.  It is always preferable to have this fix present if possible rather than manually tampering with the state of the TLS parser, as doing so can cause further problems.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Timothy_Hall
Legend Legend
Legend

Just an update from @Guy_Israeli, the license enforcement on open hardware for virtual cores with SMT enabled is not currently active, but will be enforced in the near future.  Note that this could lead to a situation where the extra cores created by enabling SMT on open hardware are initially allowed to be used, but then they suddenly aren't allowed after a code upgrade or Jumbo HFA application.

https://community.checkpoint.com/t5/VSX/R80-40-VSX-VSLS-JHF-Take-77-on-Openservers-has-Multi-Queue-a...

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Timothy_Hall
Legend Legend
Legend

License enforcement for SMT cores on open hardware is planned to resume in version R81.10:

https://community.checkpoint.com/t5/VSX/R80-40-VSX-VSLS-JHF-Take-77-on-Openservers-has-Multi-Queue-a...

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Timothy_Hall
Legend Legend
Legend

Update: the fix for the TLS parser issue mentioned in the p. 239 addendum note has been integrated into R80.40 Jumbo HFA Take 78+, R80.30 Jumbo HFA Take 219+, and R80.20 Jumbo HFA Take 183+.   See sk166700: High CPU after upgrade from R77.x to R80.x when running only Firewall and Monitoring blade....

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Timothy_Hall
Legend Legend
Legend

p. 332: IPSec VPN traffic utilizing the SHA-384 algorithm can now be accelerated by SecureXL in R80.30 Jumbo HFA 221+ and R80.40 Take 87+.  See sk168336: VPN traffic (after encryption) is not visible via tcpdump and does not arrive at the remot...

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
FedericoMeiners
Advisor

@Timothy_Hall 

Thanks for the ongoing effort and creating great materials.

Can't stress enough how necessary this book is if you are into Check Point.

 

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
Timothy_Hall
Legend Legend
Legend

p. 221: If possible, do not set an R80.40's firewall’s management interface to a NIC that is carrying a heavy amount of production traffic to avoid possible frame loss (RX-DRP as shown by command netstat -ni) caused by the lack of Multi-Queue on that interface. If the management interface has been changed from a busy production interface and Multi-Queue is still not active on that busy interface (use the expert mode mq_mng –o –vv command to check this) see this SK: sk167200: Multi-queue state is "off" when changing the management interface.  It appears that the restriction blocking the activation Multi-Queue on the firewall's management interface has been lifted in R81.

Edit: Support for enabling Multi-Queue on the management interface under R80.40 was added in Jumbo HFA Take 78+.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Timothy_Hall
Legend Legend
Legend

Be aware that enabling "Wire Mode" will cause all VPN traffic to go F2F 100% of the time: https://community.checkpoint.com/t5/General-Topics/SecureXL-100-F2Fed-80-30/m-p/95704

Edit: Check Point has created an SK for this issue: sk170133: Acceleration does not work when using wire mode with SecureXL enabled

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events