JJAUTO_AGM_ ( =;(& - *, - * 9 / %%* & * 9;(& 3 %%& * & " 9 %(* & * -% =,% & &*/ **/ & *+
R77.30_EA-v4.9CoreXL_&_Dispatcher_improvements.pptx
14
©2015 Check Point Software Technologies Ltd. 1 [Protected] Non-confidential content R77.30 • CoreXL & Dispatcher improvements • Speaker Name | Speaker Title
-
Upload
minal-salvi -
Category
Documents
-
view
8 -
download
0
Transcript of R77.30_EA-v4.9CoreXL_&_Dispatcher_improvements.pptx
©2015 Check Point Software Technologies Ltd. 1[Protected] Non-confidential content
R77.30• CoreXL & Dispatcher
improvements
• Speaker Name | Speaker Title
©2015 Check Point Software Technologies Ltd. 2
IMPORTANT
• Content is based on R77.30 EA features/screenshots̶2There can be changes or features removed in GA
• Pricing and licensing changes/additions are not final̶2We will therefore not speculate on such topics
• Don’t use this presentation after the R77.30 GA release̶2Rather locate a version updated with R77.30 GA info
[Restricted] ONLY for designated groups and individuals
©2015 Check Point Software Technologies Ltd. 3
CoreXL Changes
[Restricted] ONLY for designated groups and individuals
• Previously on CoreXL̶2Connections assigned to cores based around src and
dest address̶2Inefficient if we have low IP density for connections ̶2One source to one destination always will use the same
core
©2015 Check Point Software Technologies Ltd. 4
New CoreXL
• New Mechanism in the Dispatcher service
• New connections now allocated to the ‘least busy’ core̶2Least utilized core will have more chance of processing
the packet successfully
• Currently off by default in R77.30
• Only supports SGW ̶2VSX support expected later
©2015 Check Point Software Technologies Ltd. 5
Dispatcher Queue Changes
[Restricted] ONLY for designated groups and individuals
• Provides high Priority to ‘control plane’ Packets̶2SSH, Dynamic Routing Etc
• If we have CPU performance Issues still able to process important packets
• Prioritization will allow̶2Fault finding to understand what is happening on the
system with SSH̶2Traffic may still be routed as Dynamic Routing will not
freeze
• Detect heavy processes and send them to the low priority Queue
©2015 Check Point Software Technologies Ltd. 6
Addressable, key scenarios
Category Use case Impact
Internal resiliency Cluster Control (CCP), ppak notifications,inter-instance communications
Critical
Admin Install policy, automatic updates
Critical
Admin CLI / SSH / Serial / WebUI Critical
Admin Monitoring SNMP (MIBS) Medium
Control for data Dynamic Routing, DHCP High
Control for data ARP / NDP High
Control for data Site to Site VPN (IKE) High
[Restricted] ONLY for designated groups and individuals
©2015 Check Point Software Technologies Ltd. 7
Conceptual Approach
Prioritization of existing connections
Prioritization
Dynamic Dispatching of new connections
Dynamic Dispatching
[Restricted] ONLY for designated groups and individuals
©2015 Check Point Software Technologies Ltd. 8
Improve control path resiliency
• Prioritization of existing connections based on̶2 control path traffic̶2 internal messages, cluster and local connection ̶2 ‘heavy’ (cpu wise) connections
• Dynamic Dispatching of new connections based on instance load
Features and Value Proposition
Improve capacity for new connections
Utilization & performance
[Restricted] ONLY for designated groups and individuals
©2015 Check Point Software Technologies Ltd. 9
Dispatcher
Prioritization Within Instance
I R I H I R
R I R I I I
I I I I
R R R R
H H H H
P1
P2
P3
I I I I
R R R R
P1
P2
P3
Dequeuer – packets will be dequeued based on priority
FW_0
FW_1
Enqueuer – enqueue packets based on
classification
H Heavy
R Regular
I Important
“Eviluator”
- Processing efficiency (clock cycles)
- Real-time prioritization adjustment
[Restricted] ONLY for designated groups and individuals
©2015 Check Point Software Technologies Ltd. 10
Technology - Prioritization
Name Entries type Priority (0 - highest)
Eviluator
Internal resiliency CCP / PPK NOTIF / Multik MSG / VS MSG / PSL MSG
0Strict: Dequeue until empty
No
Control plan WebUI / SSH /Full sync / Mgmt services / Dynamic Routing
1 Yes
Admin specific User defined 2 Yes
Light conn Light connections 3 Yes
Default Medium / New connection
4 Yes
Drop Log Log NOTIF 5 No
Heavy conn Heavy connections 6 Yes
[Restricted] ONLY for designated groups and individuals
©2015 Check Point Software Technologies Ltd. 11
Dynamic Dispatcher
Dispatcher
10%
20%
30%
40%
50%
60%
70%
80%90%
100%
CPU
FW_0
10%
20%
30%
40%
50%
60%
70%
80%90%
100%
CPU
FW_1
10%
20%
30%
40%
50%
60%
70%
80%90%
100%
CPU
FW_2
CPU utilization
Current load on instance
Queue utilization
Load that is about to be on the instance
[Restricted] ONLY for designated groups and individuals
©2015 Check Point Software Technologies Ltd. 12
Dynamic Dispatcher
Dispatcher
10%
20%
30%
40%
50%
60%
70%
80%90%
100%
CPU
FW_0
10%
20%
30%
40%
50%
60%
70%
80%90%
100%
CPU
FW_1
10%
20%
30%
40%
50%
60%
70%
80%90%
100%
CPU
FW_2
Decision = F(current CPU, queue capacity)
Dispatcher chooses an instance that is expected to be least utilized
[Restricted] ONLY for designated groups and individuals
©2015 Check Point Software Technologies Ltd. 13
Dynamic Dispatcher
Dispatcher
10%
20%
30%
40%
50%
60%
70%
80%90%
100%
CPU
FW_0
10%
20%
30%
40%
50%
60%
70%
80%90%
100%
CPU
FW_1
10%
20%
30%
40%
50%
60%
70%
80%90%
100%
CPU
FW_2
[Restricted] ONLY for designated groups and individuals
©2015 Check Point Software Technologies Ltd. 14
Technology Highlights
Connection “Eviluater”Per connection CPU utilization
Dynamic priority migration
Smart Dispatching Predefined connection prioritization
Dynamic dispatching for new connections per CPU utilization
[Restricted] ONLY for designated groups and individuals
