Who rated this post

cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion Champion
Champion

Performance Tuning Tip – Lightspeed Appliance

Lightspeed Overview


The new Quantum Lightspeed firewalls (QLS250, QLS 450, QLS 650, QLS 800) are much better in performance because they use NVIDIA ASIC's on ConnectX NIC’s with accelerated packet processing technology.

Faster firewall security at line-rate speed

- 250 to 800 Gbps Hyper-Fast througput
- Ultra low latency at 3us (10 x faster as GAIA software)
- Scalability up to 3 Tbps with Maestro (MLS 200, MLS 400 - available Q2/2022)
- Acceleration of elephant flows

Lightspeed Design


Only traffic on the same NVIDIA network card can be accelerated by Lightspeed.
LS_Picture_1.jpg
Network traffic between different network cards cannot be accelerated by Lightspeed (uses regular flow and speed).
LS_Picture_2.jpg
An important point at the moment is that only firewall traffic can be optimised via Lightspeed on the same network card. As soon as traffic has to be analysed by F2F path or PSLXL path - for example by the IPS blade - the connection is not optimised by Lightspeed.

Security Gateway does not support these features when you install a NVIDIA 2-port 100G Card:

- ClusterXL in the Load Sharing mode or Active-Active mode.
- VSX mode
- SecureXL Drop Templates (see sk153832).
- VRRP Cluster.
- Rate Limiting rules for DoS Mitigation configured with the commands 'fwaccel dos deny' and 'fwaccel dos allow' (see sk112454).

How does it work?


1) First packet in every connection validated by security policy check in the CoreXL instance.
LS_Picture_3.jpg

2) Approved traffic flow offloaded to Quantum Lightspeed ASIC via rte_flow API
LS_Picture_4.jpg

3) Subsequent packetes are secured by accelerated packet processing via NVIDIA ASIC
LS_Picture_5.jpg

NVIDIA accelerated packet processing supports the following features on ASIC:
- TCP state validation
- Tunneling and NAT support
- Header validation
- Accelerated firewall packet flow

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
(1)
Who rated this post