R77.

30
CoreXL & Dispatcher
improvements

Speaker Name | Speaker Title

2015 Check Point Software Technologies Ltd.

[Protected] Non-confidential content

IMPORTANT
Content is based on R77.30 EA features/screenshots
There can be changes or features removed in GA

Pricing and licensing changes/additions are not final

We will therefore not speculate on such topics

Dont use this presentation after the R77.30 GA

release
Rather locate a version updated with R77.30 GA info

2015 Check Point Software Technologies Ltd.

[Restricted] ONLY for designated groups and individuals

CoreXL Changes
Previously on CoreXL
Connections assigned to cores based around src and
dest address
Inefficient if we have low IP density for connections
One source to one destination always will use the same
core

2015 Check Point Software Technologies Ltd.

[Restricted] ONLY for designated groups and individuals

New CoreXL
New Mechanism in the Dispatcher service
New connections now allocated to the least busy core
Least utilized core will have more chance of processing
the packet successfully

Currently off by default in R77.30

Only supports SGW
VSX support expected later

2015 Check Point Software Technologies Ltd.

Dispatcher Queue Changes

Provides high Priority to control plane Packets
SSH, Dynamic Routing Etc

If we have CPU performance Issues still able to process

important packets
Prioritization will allow
Fault finding to understand what is happening on the
system with SSH
Traffic may still be routed as Dynamic Routing will not
freeze

Detect heavy processes and send them to the low priority

Queue
2015 Check Point Software Technologies Ltd.

[Restricted] ONLY for designated groups and individuals

Addressable, key scenarios

Category

Use case

Internal resiliency

Cluster Control (CCP),

ppak notifications,
inter-instance communications

Critical

Admin

Install policy,
automatic updates

Critical

Admin

CLI / SSH / Serial / WebUI

Critical

Admin

Monitoring SNMP (MIBS)

Medium

Control for data

Dynamic Routing, DHCP

High

Control for data

ARP / NDP

High

Control for data

Site to Site VPN (IKE)

High

2015 Check Point Software Technologies Ltd.

Impact

[Restricted] ONLY for designated groups and individuals

Conceptual Approach

Prioritization

Dynamic
Dispatching

Prioritization of
existing connections

Dynamic Dispatching
of new connections

2015 Check Point Software Technologies Ltd.

[Restricted] ONLY for designated groups and individuals

Features and Value Proposition

Prioritization of existing connections based on
control path traffic
internal messages, cluster and local connection
heavy (cpu wise) connections
Improve control path resiliency

Dynamic Dispatching of new connections based on instance

load
Improve capacity for new connections
Utilization & performance

2015 Check Point Software Technologies Ltd.

[Restricted] ONLY for designated groups and individuals

Prioritization Within Instance

Dequeuer
Dequeuer packets
packets
will
will be
be dequeued
dequeued
based
based on
on priority
priority

Enqueuer
Enqueuer enqueue
enqueue
packets
packets based
based on
on
classification
classification
P1
P1

II II II II

P2
P2

R
R R
R R
R R
R

P3
P3

H
H H
H H
H H
H

II

R
R II

Dispatcher
Dispatcher

H
H II

R
R

FW_0
FW_0

Eviluator
Eviluator
-- Processing
Processing efficiency
efficiency (clock
(clock cycles)
cycles)

P1
P1

II II II II

P2
P2

R
R R
R R
R R
R

-- Real-time
Real-time prioritization
prioritization adjustment
adjustment

R
R II

R
R II

II

II

FW_1
FW_1

P3
P3

H Heavy
R Regular
I

Important
2015 Check Point Software Technologies Ltd.

[Restricted] ONLY for designated groups and individuals

Technology - Prioritization
Name

Entries type

Priority
(0 - highest)

Eviluator

Internal resiliency

CCP / PPK NOTIF /

Multik MSG / VS MSG /
PSL MSG

0
Strict: Dequeue until
empty

No

Control plan

WebUI / SSH /
Full sync / Mgmt
services / Dynamic
Routing

Yes

Admin specific

User defined

Yes

Light conn

Light connections

Yes

Default

Medium / New
connection

Yes

Drop Log

Log NOTIF

No

Heavy conn

Heavy connections

Yes

2015 Check Point Software Technologies Ltd.

[Restricted] ONLY for designated groups and individuals

10

Dynamic Dispatcher
FW_0

FW_1

FW_2

100%

100%

100%

90%
80%
70%
60%
50%
40%
30%
20%
10%

90%
80%
70%
60%
50%
40%
30%
20%
10%

90%
80%
70%
60%
50%
40%
30%
20%
10%

Queue
Queue utilization
utilization
Load
Load that
that is
is about
about to
to be
be on
on the
the instance
instance
CPU

CPU

CPU

CPU
CPU utilization
utilization
Current
Current load
load on
on
instance
instance
Dispatcher
Dispatcher

2015 Check Point Software Technologies Ltd.

[Restricted] ONLY for designated groups and individuals

11

Dynamic Dispatcher
FW_0

FW_1

FW_2

100%

100%

100%

90%
80%
70%
60%
50%
40%
30%
20%
10%

90%
80%
70%
60%
50%
40%
30%
20%
10%

90%
80%
70%
60%
50%
40%
30%
20%
10%

Decision
Decision == F(current
F(current CPU,
CPU, queue
queue capacity)
capacity)
Dispatcher
Dispatcher chooses
chooses an
an instance
instance that
that is
is
expected
be
CPU
CPU
expected to
to CPU
be least
least utilized
utilized

Dispatcher
Dispatcher

2015 Check Point Software Technologies Ltd.

[Restricted] ONLY for designated groups and individuals

12

Dynamic Dispatcher
FW_0

FW_1

FW_2

100%

100%

100%

90%
80%
70%
60%
50%
40%
30%
20%
10%

90%
80%
70%
60%
50%
40%
30%
20%
10%

90%
80%
70%
60%
50%
40%
30%
20%
10%

CPU

CPU

CPU

Dispatcher
Dispatcher

2015 Check Point Software Technologies Ltd.

[Restricted] ONLY for designated groups and individuals

13

Technology Highlights
Connection Eviluater
Per connection CPU utilization
Dynamic priority migration

Smart Dispatching
Predefined connection prioritization
Dynamic dispatching for new connections per CPU
utilization

2015 Check Point Software Technologies Ltd.

[Restricted] ONLY for designated groups and individuals

14