Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
shavat_zalpuri
Explorer
Jump to solution

Need help in understanding multi core vpn in r 80.x

Hi All,

 

It owuuld be great help if you can help me in providing a document which will give me in detail information of multi core vpn in r80.X.

 

Different vpn types and on different cores.

 

Regards,

shavat Zalpuri

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Champion
Champion

@Tal_Paz-Fridman gave you the authoritative SK articles for the multicore IPSec VPN feature, and below is an excerpt about it from my Max Power book.  Generally the only direct way you'd even suspect multicore VPN was active would be when taking a capture with fw monitor which would show the new e & E capture points as originally discussed here: https://community.checkpoint.com/t5/Logging-and-Reporting/fw-monitor-inspection-point-e-or-E/m-p/128...

 

 

Click to Expand

R80.10: MultiCore IPSec VPN & Route-based VPNs


While the vast majority of network connections can be efficiently balanced across the
available Firewall Worker cores (Run the fw ctl multik stat command and look at
the Connections column to see this in action), there is one glaring exception on R77.30
gateway and earlier: IPSec VPN handling. By default on R77.30, all IPSec-based and
SSL VPN-based encryption and decryption can only take place on the lowest-numbered
Firewall Worker core ( fw_0 ).


I’m pleased to report though that the single-core IPSec VPN limitation in R77.30
gateway has at long last been resolved in R80.10+. IPSec VPN traffic is now balanced
across all Firewall Worker cores by default on R80.10+ gateway. The commands vpn
tu tlist and vpn tu mstats can be used to monitor the state of this new capability.
While it is technically possible to switch off this MultiCore IPSec feature by setting the
kernel variable enable_ipsec_multi_core to zero on R80.10+, doing so is not
supported as explicitly stated here: sk118097: MultiCore Support for IPsec VPN in
R80.10 and above.

 

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

0 Kudos
4 Replies
Tal_Paz-Fridman
Employee
Employee

You can use the following SKs

 

MultiCore Support for IPsec VPN in R80.10 and above

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Advanced Technical Reference Guide: VPN Core

https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGoviewsolutiondetails=&solutionid=...

 

HTH

Tal

Timothy_Hall
Champion
Champion

@Tal_Paz-Fridman gave you the authoritative SK articles for the multicore IPSec VPN feature, and below is an excerpt about it from my Max Power book.  Generally the only direct way you'd even suspect multicore VPN was active would be when taking a capture with fw monitor which would show the new e & E capture points as originally discussed here: https://community.checkpoint.com/t5/Logging-and-Reporting/fw-monitor-inspection-point-e-or-E/m-p/128...

 

 

Click to Expand

R80.10: MultiCore IPSec VPN & Route-based VPNs


While the vast majority of network connections can be efficiently balanced across the
available Firewall Worker cores (Run the fw ctl multik stat command and look at
the Connections column to see this in action), there is one glaring exception on R77.30
gateway and earlier: IPSec VPN handling. By default on R77.30, all IPSec-based and
SSL VPN-based encryption and decryption can only take place on the lowest-numbered
Firewall Worker core ( fw_0 ).


I’m pleased to report though that the single-core IPSec VPN limitation in R77.30
gateway has at long last been resolved in R80.10+. IPSec VPN traffic is now balanced
across all Firewall Worker cores by default on R80.10+ gateway. The commands vpn
tu tlist and vpn tu mstats can be used to monitor the state of this new capability.
While it is technically possible to switch off this MultiCore IPSec feature by setting the
kernel variable enable_ipsec_multi_core to zero on R80.10+, doing so is not
supported as explicitly stated here: sk118097: MultiCore Support for IPsec VPN in
R80.10 and above.

 

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
shavat_zalpuri
Explorer
Could you please send me this sk118097 solution in pdf
0 Kudos
Timothy_Hall
Champion
Champion

SK article content is copyrighted and cannot be posted here or sent privately.  Please contact your Check Point SE to determine your support status and they should be able to help you.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events