Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin

Security Gateway Performance Optimization Excerpt

30 Replies
Ali_Korkmaz
Contributor

Hello,

This video does not work, is there another link? 

0 Kudos
_Val_
Admin
Admin

This is a 2 minute teaser. The full video link is mentioned above as well

0 Kudos
Ali_Korkmaz
Contributor

I tried  link of full video but it did not work.  You can view the video? 

0 Kudos
_Val_
Admin
Admin

Yes, the video is available and works all right. It is in the members exclusive section, so please make sure you are logged in when watching. If it is still not working for you, please clean your browser cache and try again.

0 Kudos
Ali_Korkmaz
Contributor

Firstly thanks for your quick reply. I am logged to community with my account on my phone. Might be this video not suitable for phone? 

0 Kudos
_Val_
Admin
Admin

Should work there either. Clear the cache or try later.

0 Kudos
PhoneBoy
Admin
Admin

What kind of phone do you have?

It seems to be ok on my iPhone at least.

0 Kudos
Ali_Korkmaz
Contributor

I have Xiaomi 6. I have try with different two browser but does not work. 

0 Kudos
PhoneBoy
Admin
Admin

I initially had an issue with my Samsung S8+ getting the video to start playing.

After refreshing the page, it seems to work now.

0 Kudos
Ali_Korkmaz
Contributor

I think the problem is related embedded video player on my phone. Thnks all. 

Matthew_H_00
Participant

Try this link

Video Link : 7987 

0 Kudos
Hugo_vd_Kooij
Advisor

On R80.10 I get an extra line:

QXL pkts/Total pkts : 0/46011886447 (0%)

We are not using QoS so that 0 is no surprise.

But it wasn't mentioned in the talks.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
_Val_
Admin
Admin

Good point, Hugo van der Kooij‌. Timothy Hall‌, any comments?

0 Kudos
Timothy_Hall
Champion
Champion

The QoS blade is rarely enabled and the QXL path will only show nonzero values when that blade is actually used.  Heiko Ankenbrand‌ and I discussed this topic here: https://community.checkpoint.com/message/28463 

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
_Val_
Admin
Admin

Thanks Tim

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Thanks Timothy for the presentation.

Regards

Heiko


➜ CCSM Elite, CCME, CCTE
HeikoAnkenbrand
Champion Champion
Champion

What I notice more and more in the last years is CPAS (Active Streaming). It always works through the F2F path. With increased https, the firewall workers are more and more stressed if https inspection is enabled. Timothy you describe it very well in your book. Check Point Active Streaming active streaming allow the changing of data and play the role of “man in the middle”. Several protocols uses CPAS, for example: Client Authentication, VoIP (SIP, Skinny/SCCP, H.323, etc.), Data Leak Prevention (DLP) blade, Security Servers processes, etc. I think it's not to be underestimated in tuning.

Regards

Heiko


➜ CCSM Elite, CCME, CCTE
Timothy_Hall
Champion
Champion

Well it looks like the Medium Path (PXL) has been split into 2 separate paths called CPASXL and PSLXL in R80.20 gateway based on this screenshot I just took in my lab, so for the first time we will be able to easily see stats about utilization of CPAS vs PSL:

also in R80.20 we can now see actual statistics for the PXL path which will certainly help "demystify" it to some degree:

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Veneet_Thakur
Explorer

The video is not working, any other link pls

0 Kudos
_Val_
Admin
Admin

Video is fine, check your player settings

0 Kudos
_Val_
Admin
Admin

I am afraid this statement is incorrect: "...CPAS (Active Streaming). It always works through the F2F path." It is and always been qualified as PXL. What IS correct in your comment is that streaming is done by FW instance, although handshake packets go via SND acceleration.

0 Kudos
_Val_
Admin
Admin

Just to clarify terminology here. Both passive and active streaming are qualified as PXL. The tool give you better split between those two, but it does not qualify as two new paths suddenly appearing out of nowhere 🙂

We are talking about improved reporting for different parts of PXL here

0 Kudos
Timothy_Hall
Champion
Champion

I was under the impression that the F2F path is a superset of PXL as they are both handled on a Firewall Worker core, so CPAS and PSL can be applied to traffic in either path.  The firewall will attempt to use PXL first if it can as it is more efficient, but I think it can still do the same operations in F2F if the packet is fragmented or some other condition makes the traffic go F2F.  As noted in earlier threads there is limited documentation for and visibility into PXL.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
_Val_
Admin
Admin

Well, your understanding is correct. 

We call FW Path a situation when 100% of the packets in the session are handled by kernel instances.

SXL is another extreme, when all or all but the first packet are handled by SecureXL

PXL is a situation when a connection is opened and closed through SXL but data stream is handled by FW kernel instance. In a sense, PXL is a combination of two. You can only define PXL when talking about sessions and connections. On per packet basis, it is always FW path or SXL

HeikoAnkenbrand
Champion Champion
Champion

Valeri I agree here full with Timothy's comment:
As noted in earlier threads there is limited documentation for and visibility into PXL.

No man in this world really understands the PXL paths in the depths. Can you please publish here a document with the description! Every Check Point technician, customer etc. tells me a different story about the PXL paths. I think we all want to understand that to 100%.

I'm starting to get in a bad mood about this.

I have been trying for 3 months to describe this in my drawing (R80.x Security Gateway Architecture (Logical Packet Flow) ) and notice that there is a huge resonance here. I just wonder why nobody at Check Point does that??

 

We should all understand that and not always have a black spot in the room.

I just want to understand it and not just get info in bits and pieces.

Regards

Heiko


➜ CCSM Elite, CCME, CCTE
_Val_
Admin
Admin

We have had this discussion before, Heiko Ankenbrand. Check Point does have documentation for packet flow, acceleration, etc. You are referenced them in your own documents here on CheckMates. I was providing you assistance for the mentioned document and the diagrams. 

I can only repeat myself by saying that treating PXL as a separate per packet flow is a mistake. PXL terminology only make sense when you talk about sessions and connections.

Timothy Hall‌ is a very good illustration that there are some people outside of Check Point with in depth understanding of the subject. 

R80.20 is the new product, and it brings new CLI tools, code improvement and further visibility into acceleration and streaming statistics. As it is new, it will take a bit of work to get all relevant SecureKnowledge articles and documentation.

I suggest you to hold making changes on your packet flow and other documents before relevant documentation is available. 

We are also preparing a meeting with platforms and acceleration developers during your visit to HQ where you will be able to discuss topics of your interest and receive the info first hand. 

HeikoAnkenbrand
Champion Champion
Champion

Thanks for the answer.

I am waiting for exactly these documents from Check Point.

I think it's very good that you are planning this.

Regards

Heiko


➜ CCSM Elite, CCME, CCTE
_Val_
Admin
Admin

Trust me, you will work VERY hard here 🙂

samanthavidya1
Explorer

hi,

is the above lesson valid

for r81 also 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events