TechTalk: Security Gateway Performance Optimization with Tim Hall
Full video, available to CheckMates members: Security Gateway Performance Optimization with Tim Hall Video
This video does not work, is there another link?
This is a 2 minute teaser. The full video link is mentioned above as well
I tried link of full video but it did not work. You can view the video?
Yes, the video is available and works all right. It is in the members exclusive section, so please make sure you are logged in when watching. If it is still not working for you, please clean your browser cache and try again.
Firstly thanks for your quick reply. I am logged to community with my account on my phone. Might be this video not suitable for phone?
Should work there either. Clear the cache or try later.
What kind of phone do you have?
It seems to be ok on my iPhone at least.
I have Xiaomi 6. I have try with different two browser but does not work.
I initially had an issue with my Samsung S8+ getting the video to start playing.
After refreshing the page, it seems to work now.
Try this link
Security Gateway Performance Optimization with Tim Hall Video
I think the problem is related embedded video player on my phone. Thnks all.
On R80.10 I get an extra line:
QXL pkts/Total pkts : 0/46011886447 (0%)
We are not using QoS so that 0 is no surprise.
But it wasn't mentioned in the talks.
Good point, Hugo van der Kooij. Timothy Hall, any comments?
The QoS blade is rarely enabled and the QXL path will only show nonzero values when that blade is actually used. Heiko Ankenbrand and I discussed this topic here: QOS
-- Second Edition of my "Max Power" Firewall Book Now Available at http://www.maxpowerfirewalls.com
Thanks Timothy for the presentation.
What I notice more and more in the last years is CPAS (Active Streaming). It always works through the F2F path. With increased https, the firewall workers are more and more stressed if https inspection is enabled. Timothy you describe it very well in your book. Check Point Active Streaming active streaming allow the changing of data and play the role of “man in the middle”. Several protocols uses CPAS, for example: Client Authentication, VoIP (SIP, Skinny/SCCP, H.323, etc.), Data Leak Prevention (DLP) blade, Security Servers processes, etc. I think it's not to be underestimated in tuning.
Well it looks like the Medium Path (PXL) has been split into 2 separate paths called CPASXL and PSLXL in R80.20 gateway based on this screenshot I just took in my lab, so for the first time we will be able to easily see stats about utilization of CPAS vs PSL:
also in R80.20 we can now see actual statistics for the PXL path which will certainly help "demystify" it to some degree:
Just to clarify terminology here. Both passive and active streaming are qualified as PXL. The tool give you better split between those two, but it does not qualify as two new paths suddenly appearing out of nowhere :-)We are talking about improved reporting for different parts of PXL here
I was under the impression that the F2F path is a superset of PXL as they are both handled on a Firewall Worker core, so CPAS and PSL can be applied to traffic in either path. The firewall will attempt to use PXL first if it can as it is more efficient, but I think it can still do the same operations in F2F if the packet is fragmented or some other condition makes the traffic go F2F. As noted in earlier threads there is limited documentation for and visibility into PXL.
Well, your understanding is correct.
We call FW Path a situation when 100% of the packets in the session are handled by kernel instances.
SXL is another extreme, when all or all but the first packet are handled by SecureXL
PXL is a situation when a connection is opened and closed through SXL but data stream is handled by FW kernel instance. In a sense, PXL is a combination of two. You can only define PXL when talking about sessions and connections. On per packet basis, it is always FW path or SXL
I am afraid this statement is incorrect: "...CPAS (Active Streaming). It always works through the F2F path." It is and always been qualified as PXL. What IS correct in your comment is that streaming is done by FW instance, although handshake packets go via SND acceleration.
Valeri I agree here full with Timothy's comment:As noted in earlier threads there is limited documentation for and visibility into PXL.
No man in this world really understands the PXL paths in the depths. Can you please publish here a document with the description! Every Check Point technician, customer etc. tells me a different story about the PXL paths. I think we all want to understand that to 100%.
I'm starting to get in a bad mood about this.
I have been trying for 3 months to describe this in my drawing (R80.x Security Gateway Architecture (Logical Packet Flow) ) and notice that there is a huge resonance here. I just wonder why nobody at Check Point does that??
We should all understand that and not always have a black spot in the room.
I just want to understand it and not just get info in bits and pieces.
We have had this discussion before, Heiko. Check Point does have documentation for packet flow, acceleration, etc. You are referenced them in your own documents here on CheckMates. I was providing you assistance for the mentioned document and the diagrams.
I can only repeat myself by saying that treating PXL as a separate per packet flow is a mistake. PXL terminology only make sense when you talk about sessions and connections.
Timothy Hall is a very good illustration that there are some people outside of Check Point with in depth understanding of the subject.
R80.20 is the new product, and it brings new CLI tools, code improvement and further visibility into acceleration and streaming statistics. As it is new, it will take a bit of work to get all relevant SecureKnowledge articles and documentation.
I suggest you to hold making changes on your packet flow and other documents before relevant documentation is available.
We are also preparing a meeting with platforms and acceleration developers during your visit to HQ where you will be able to discuss topics of your interest and receive the info first hand.
Thanks for the answer.
I am waiting for exactly these documents from Check Point.
I think it's very good that you are planning this.
Trust me, you will work VERY hard here :-)
The video is not working, any other link pls
Video is fine, check your player settings
Retrieving data ...