Understanding Check Point CoreXL Part 1
Understanding Checkpoint CoreXL Part 2
CoreXL
- Multi-Core systems
- Need for CoreXL
- coreXL components
- overview of CoreXL
- CoreXL Performance
- Affinity
The QUEST for Performance
Improving Performance
- Hardware Vendors
- Reduce Cost
Performance via frequency Increase
-CPU clock Speed
-Physical Limitations
Multi CPU era
- Multiple processor solution
- New software needed - the creating of CoreXL code
Checkpoint Code
- R65 first firewall code to support multi-core (Add support for multi-core)
- Linux
Kernel 2.6
Firest linux kernel to introduce multi-core
How firewall process packet before on CoreXL
FW CODE
fw_filter() {
fw_lock();
fwchain_do();
fw_unlock();
}
CPU1
Flow --- Packet comes in to CPU - CPU Sends it to FW Code - does a FW Lock - the a FWChain process packet then do a fwunlock and forward packet
Firewall Kernel Instance
NIC - Dispatcher - CPU - FW1 Code
If you have more that 1 core ..
FW-0 CODE
fw_filter() {
fw_lock();
fwchain_do();
fw_unlock();
}
CPU0
FW-1 CODE
fw_filter() {
fw_lock();
fwchain_do();
fw_unlock();
}
CPU1
CPU 2 - Dispatcher (acts like a load balance)
Packet from NIC to dispatcher CPU2 (on same CPU) - make a decision where to send packet to CPU0 or CPU1 if rule allow packet then FW-0 or FW-1 code for processing
1st kernel instance
Dispatcher (dispatching table) - [fw0 Queue - fw0 ]- connection table and update dispatching table == > IP STACT
parllel processing
independent inspection Kernals
Packet is sticky
Data locality - data is local
- CPU Affinity - Unbound fw processes and rebound Dispatcher from 1 CPU to another
- SIM Affinity - assign different Interfaces to specific CPU to process
- Multi-queue - IRQ assign to specific CPU - 2 queue bound to on port
NIC -> Global Dispatcher Table -> Secure Network Dispatcher ->FW0 -4 firewall workers
3 Components
SecureXL
- Software/hardware Acceleration
- Packet rate and connection rate
- Certain traffic cannot be accelerated
(fwaccel happens in Kernel and cannot do deep packet inspection )
SSL Inspection traffic will not be acceleration
fwaccel [on | off | ver | stats | conns | templates]
SND core handles acceleration
CoreXL
- Parallel security gateway kernels
- Leverage modern processor architectures
- Suited to medium path
ClusterXL
- Implement load-sharing (active/active) Cluster to increase throughput
- delivers high-availability/ security gateway
base.def - add application ports etc
/opt/CPsuite-R77/fw1/lib/base.def
The CoreXL software architecture includes the Secure Network Distributor (SND). The SND is responsible for:
- Processing incoming traffic from the network interfaces
- Securely accelerating authorized packets (if Performance Pack is running)
- Distributing non-accelerated packets among kernel instances.
