Packet flow on the Host Security Appliance, when the packet is completely handled by the SecureXL device. It is processed and forwarded to the network.
SecureXL feature that accelerates the speed, at which a connection is established by matching a new connection to a set of attributes. When a new connection matches the SecureXL Accept Template, subsequent connections are established without performing a rule match, and therefore are accelerated. Accept Templates are generated from active connections according to policy rules. Currently, Accept Template acceleration is performed only on connections with the same destination port (using wildcards for source ports).
The assignment of a specified CoreXL Firewall instance, VSX Virtual System, interface, user space process, or IRQ to one or more specified CPU cores.
The SecureXL improves the rate of new connections (connections per second) and the connection set up / tear down rate (sessions per second). To accelerate the rate of new connections, the SecureXL still processes connections that do not match a specified 5-tuple. For example, if the source port is masked, then only the other 4-tuple attributes require a match. When a connection is processed on the accelerated path, the SecureXL creates an Accept Template of that connection that does not include the source port. A new connection that matches the other 4-tuple attributes is processed on the accelerated path, because it matches the Accept Template. The Firewall module does not inspect the new connection, which increases the Firewall connection rates.
The SecureXL and the Firewall module keep their own state tables and communicate updates to each other:
A performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores.
Improved CoreXL SND feature. Part of CoreXL that distributes packets between CoreXL Firewall instances. Traffic distribution between CoreXL Firewall instances is dynamically based on the utilization of CPU cores, on which the CoreXL Firewall instances are running. The dynamic decision is made for first packets of connections, by assigning each of the CoreXL Firewall instances a rank, and selecting the CoreXL Firewall instance with the lowest rank. The rank for each CoreXL Firewall instance is calculated according to its CPU utilization. The higher the CPU utilization, the higher the CoreXL Firewall instance's rank is, hence this CoreXL Firewall instance is less likely to be selected by the CoreXL SND. See sk105261.
On a Security Gateway with CoreXL enabled, the Firewall kernel is copied multiple times. Each replicated copy, or firewall instance, runs on one processing CPU core. These firewall instances handle traffic at the same time, and each firewall instance is a complete and independent firewall inspection kernel.
Secure Network Distributer. Part of CoreXL that is responsible for:
Traffic distribution between CoreXL Firewall instances is statically based on Source IP addresses, Destination IP addresses, and the IP 'Protocol' type.
The SND does not really "touch" packets. The decision to stick to a particular FWK core is done at the first packet of connection on a very high level, before anything else. Depending on the SecureXL settings, and in most of the cases, the SecureXL can be offloading decryption calculations. However, in some other cases, such as with Route-Based VPN, it is done by FWK.
Check Point Active Streaming. Check Point technology that allow to change data and play the role of "man in the middle". Several Check Point product use CPAS. For example: Client Authentication, VoIP (SIP, Skinny/SCCP, H.323, etc.), Data Loss Prevention, and Security Servers.
SecureXL feature that accelerates the speed, at which a connection is dropped by matching a new connection to a set of attributes. When a new connection matches the Drop Template, subsequent connections are dropped without performing a rule match and therefore are accelerated. Currently, Drop Template acceleration is performed only on connections with the same destination port (does not use wildcards for source ports).
Denotes non-VPN connections that SecureXL forwarded to firewall. See Firewall Path.
Denotes VPN connections that SecureXL forwarded to firewall. See Firewall Path.
See Accelerated Path.
Packet flow on the Host Security Appliance, when the SecureXL device is unable to process the packet (see sk32578). The packet is passed to the CoreXL layer and then to one of the CoreXL Firewall instances for full processing. This path also processes all packets when SecureXL is disabled. This path is also called Slow Path.
The name of the command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Maestro Hyperscale Orchestrators. Commands you run in this shell apply to all Security Appliances in the Security Group.
Internet Protocol Version 4 (see RFC 791). A 32-bit number - 4 sets of numbers, each set can be from 0 - 255. For example, 192.168.2.1.
Internet Protocol Version 6 (see RFC 2460 and RFC 3513). 128-bit number - 8 sets of hexadecimal numbers, each set can be from 0 - ffff. For example, FEDC:BA98:7654:3210:FEDC:BA98:7654:3210.
A state of binding an IRQ to one or more CPU cores.
A scalable Network Security System that connects multiple Check Point Security Appliances into a unified system.
Name for combination of CPAS and SecureXL. Starting in R80.20, also the CPAS uses the SecureXL path to achieve a higher performance.
Example:
Packet flow on the Host Security Appliance, when the packet is handled by the SecureXL device.
The CoreXL layer passes the packet to one of the CoreXL Firewall instances to process it. Even when CoreXL is disabled, the SecureXL uses the CoreXL infrastructure to send the packet to the single Firewall instance that still functions. When the Medium Path is available, the SecureXL fully accelerates the TCP handshake. Rule Base match is achieved for the first packet through an existing connection acceleration template. The SecureXL also fully accelerates the TCP [SYN-ACK] and TCP [ACK] packets.
However, once data starts to flow, to stream it for Content Inspection, an FWK instance now handles the packets. The SecureXL sends all packets that contain data to FWK for data extraction in order to build the data stream.
Only the SecureXL handles the TCP [RST], TCP [FIN] and TCP [FIN-ACK] packets, because they do not contain data that needs to be streamed. This path is available only when CoreXL is enabled.
Exceptions are:
An acceleration feature that lets you assign more than one packet queue and CPU core to an interface.
SecureXL feature that accelerates the speed, at which NAT connections are processed. SecureXL Templates are supported for Static NAT and Hide NAT using the existing SecureXL Accept Templates mechanism.
In cases where traffic levels exceed the capabilities of the Security Gateway hardware, because of either a legitimate traffic or a DoS attack, it is crucial that the Security Gateway maintains the management communication and continues to interact with dynamic routing neighbors. The Priority Queues functionality prioritizes control connections over data connections. See sk105762.
Passive Streaming Library.
Packets may arrive at Security Gateway out of order, or may be legitimate retransmissions of packets that have not yet received an acknowledgment. In some cases, a retransmission may also be a deliberate attempt to evade IPS detection by sending the malicious payload in the retransmission. Security Gateway ensures that only valid packets are allowed to proceed to destinations. It does this with the Passive Streaming Library (PSL) technology.
For more details, see sk95193 - ATRG: IPS.
Technology name for combination of SecureXL and PSL (Passive Streaming Library). In R80.10 and lower versions, was called PXL.
Technology name for combination of SecureXL and QoS. This has no direct association with PXL. It is used exclusively for QoS.
Receive packet queue. See Multi-Queue.
|
See Also: |
Check Point acceleration solution that maximizes performance of the Firewall and does not compromise security. When enabled, some CPU intensive operations are processed by virtualized software or dedicated hardware (for example, an acceleration card) instead of the Firewall kernel.
A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway.
Every Security Group contains:
Security Gateway Module. Part of the Security Group that contains the assigned Security Appliances. SGM in a Security Group has one IPv4 address and represents all assigned Security Appliances as one entity.
See Firewall Path.
The first packets of a new TCP connection require more inspection when processed by the Firewall module. If the connection is eligible for acceleration, after minimal security inspection, the packet is offloaded to the SecureXL device associated with the applicable outbound interface. Subsequent packets of the connection can be processed on the accelerated path and directly sent from the inbound to the outbound interface through the SecureXL device.
The flow of data between network devices.
Transmit packet queue. See Multi-Queue.
|
See Also: |