Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion Champion
Champion

R81.x Performance Tuning Tip – HyperFlow (R81.20+)

HyperFlow will be available in future firewalls R81.20+ and is currently EA.

Integrated with additional existing gateway performance features like Dynamic Balancing, HyperFlow allows seamless gateway tuning and optimization in the way to utilize the hardware.

A growing demand to address different traffic volumes per connection, HyperFlow is designed to automatically tackle such challenges.

In computer networking, an elephant flow is an extremely large (in total bytes) continuous flow set up by a TCP flow measured over a network link. Elephant flows, though not numerous, can occupy a disproportionate share of the total bandwidth over a period of time.

An elephant flow is one single network session made up of a large flow of continuous TCP packets for example, for backup connections or large downloads.

With a single core assigned to process the trffic, there's a limit on the firewall throughput for that connection.This can lead to one core being 100% utilized while other cores do nothing. HyperFlow dynamically add more cores to process an elephant flow and increas the elephant flow througput.

For this purpose CPU cores are automatically used as PPE "parallel processing engine" core that automatically balances available PPE cores. For the management of the elefant flows there is also a PPE_MGR process, which manages the PPE processes.

Now the connection is distributed to several PPE CPU cores. This increases the throughput significantly.

More read here:
Quantum - HyperFlow, Now in EA!

An example:

1) System resources are continuously monitored to detect elephant flow.

2) When an elephant flow is detected multiple cores (PPE) are assigned to process the flow.

elephant flow.png

 

 

 

 

 

 

 

3) When the elephant flow is no longer present, the PPE cores are dynamically removed. elephant flow 2.png














Here are some deep dive informations:

The gateway should first separate between the FW instance handling the connection, and HyperFlow cores doing DPI processing. The only thing that is being shared between each FW instance and HyperFlow cores is relevant data for the DPI jobs to be processed in parallel.

Streaming and blade logic layer is still being handled by the FW instance owning the connection.

Packet flow design description:

-      This example showcases a single data packet flow

-      In this case, FW instance 1 is the connection owner

-      PPE Manager dispatches DPI jobs to PPE workers

-      Once the last job is done, a message is sent to FW, notifying that the DPI processing has been completed, allowing it to continue to outbound processing

-      PPE Manager can dispatch jobs to any PPE worker, even for the same connection, allowing multiple buffer’s jobs of the same connection to be processed concurrently

o    For example, multiple PM jobs of different buffers of the same connection can run concurrently on different PPE workers

PPE_FLOW.jpeg

Special thanks to @Chen_Muchtar  for allowing me to use this information in the forum.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
(2)
5 Replies
_Val_
Admin
Admin

Some notes:

0 Kudos
Chen_Muchtar
Employee
Employee

PPE indeed stands for 'Parallel Processing Engine' 🙂
10x!

HeikoAnkenbrand
Champion Champion
Champion

I would also have used this name PPE = "Parallel Processing Engine" if I had developed the software. Was easy to guess🙂.

---
Special thanks to @Chen_Muchtar  for allowing me to use this deep dive pictures and informations in the forum.

CUT>>>

The gateway should first separate between the FW instance handling the connection, and HyperFlow cores doing DPI processing. The only thing that is being shared between each FW instance and HyperFlow cores is relevant data for the DPI jobs to be processed in parallel.

Streaming and blade logic layer is still being handled by the FW instance owning the connection.

Packet flow design description:

-      This example showcases a single data packet flow

-      In this case, FW instance 1 is the connection owner

-      PPE Manager dispatches DPI jobs to PPE workers

-      Once the last job is done, a message is sent to FW, notifying that the DPI processing has been completed, allowing it to continue to outbound processing

-      PPE Manager can dispatch jobs to any PPE worker, even for the same connection, allowing multiple buffer’s jobs of the same connection to be processed concurrently

o    For example, multiple PM jobs of different buffers of the same connection can run concurrently on different PPE workers

PPE_FLOW.jpeg

<<<CUT

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Rasputin
Participant

Is an intressante feature that we could use.
When will R81.20 be available?

0 Kudos
Marcel_Gramalla
Advisor

The closed Early Availability is already running since December: R81.20 EA Program | Production (checkpoint.com)

So the public EA will probably start at the beginning of Q2 (my guess).

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events