HyperFlow
Overview
Elephant flows are large (in total number of bytes) continuous connections that the TCP or UDP establishes.
For example, a download of a large file (such as a Linux ISO file) over the HTTP, HTTPS, FTP, or NFS protocol.
These large continuous connections consume the network capacity significantly in comparison to other types of data sessions.
Without the HyperFlow feature, a Security Gateway
Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. uses only one CPU core (one CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. Firewall instance) to inspect one elephant connection. In addition, traffic throughput decreases gradually as the CPU utilization increases on the Security Gateway.
The HyperFlow feature on Security Gateways R81.20 and higher handles such elephant connections on more than one CPU core in parallel.
The HyperFlow feature breaks the whole inspection task into smaller tasks and dispatches these smaller tasks to the available CPU cores:
|
The tasks without the HyperFlow |
The tasks with the HyperFlow |
|---|---|
|
|
As a result, the HyperFlow feature:
-
Increases throughput of elephant connections when Threat Prevention Software Blades are enabled (the Security Gateway takes less time to inspect elephant connections).
This is possible only if the network infrastructure is not a "bottleneck".
-
Automatically detects and dynamically allocates the CPU cores between main tasks on a Security Gateway.
-
Improves response time from the CoreXL FWK processes while they inspects elephant connections (the idle time of the corresponding CPU cores increases).
|
|
Important:
|
|
|
Notes:
|
For additional information, see sk178070.
Watch the video:
Requirements
-
Check Point Appliance models with at least 8 CPU logical cores.
For the list of supported models, see sk178070.
-
Firewall in User Mode (USFW). See sk167052.
-
Enable the CoreXL Dynamic Balancing (see Dynamic Balancing of CoreXL Instances):
dynamic_split –o enable -
Configure SecureXL
Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. to work in Kernel Mode (KPPAK) (see Configuring SecureXL). -
Enable the applicable Software Blades from one of these categories:
Glossary
|
Term |
Description |
||
|---|---|---|---|
|
CoreXL_FW |
A CoreXL Firewall instance that handles the traffic concurrently. Each CoreXL Firewall instance is independent and replicated multiple times (see CoreXL). Each replicated CoreXL Firewall instance runs on one processing CPU core.
|
||
|
CoreXL_SND |
A CoreXL Secure Network Distributor (SND) responsible for:
|
||
|
CoreXL_FW_RESERVED |
A logical sibling of a CoreXL Firewall instance (FW worker) that handles a heavy connection. When a logical CPU core is utilized at a high level because it handles heavy connections, its logical sibling can be stopped to decrease its utilization of resources from the physical CPU core. Chain on events:
|
||
|
PPE |
Parallel Processing Engine architecture. This is the HyperFlow dynamic infrastructure that allocates CPU cores as required to increase the throughput of Elephant connections. This is the thread that polls the interface queues and retrieves packets. Also known as Dual Mode Job Dispatcher (DMD). |
||
|
PPE_MGR |
Parallel Processing Engine Manager. Receives packet payload and dispatches jobs to PPE. Works on a complete physical CPU core.
|
||
|
PPE_MGR_RESERVED |
A sibling of PPE_MGR. Because PPE_MGR works on a complete physical CPU core, it is not possible to use other logical CPU cores on that physical CPU core. The logical siblings have the status "PPE_MGR_RESERVED"
|
||
|
PPE_WT |
Parallel Processing Engine Worker Thread. Receives packet handling jobs from the Parallel Processing Engine Manager. Dispatches jobs to Worker Threads (WTs.) Works on a complete physical CPU core.
|
||
|
DPDK |
Data Plane Development Kit. |
||
|
PMD |
Poll Mode Driver. |
||
|
WT |
Worker Thread. The thread that executes the packet handling logic. In plural: WTs |
Syntax
|
|
|
|
Parameters
|
Parameter |
Description |
||
|---|---|---|---|
|
No Parameters |
Shows the built-in help. |
||
|
|
Must enter this command only on Security Gateways other than Scalable Platforms. |
||
|
|
Must enter this command only on Scalable Platforms. |
||
|
|
Shows the advanced options. |
||
|
|
Allows new connections to be opened as accelerated pipeline connections - the Security Gateway uses the new asynchronous parsers for connections. This is the default.
|
||
|
|
Configures the asynchronous flow mode (this is the default). In this mode, CoreXL Firewall instances send jobs to the PPE.
|
||
|
|
Restores default settings |
||
|
|
Shows the statistics for the heaviest connection with the maximum duration (number of packets and bytes). |
||
|
|
Disables the feature.
|
||
|
|
Enables the feature. This is the default (on Check Point Appliances that meet the requirements).
|
||
|
|
Shows the accelerated elephant connections in the pipeline. |
||
|
|
Prevents new connections from being opened as accelerated pipeline connections. In this mode, the Security Gateway uses the legacy parsers for connections.
|
||
|
|
Configures the Job Dispatcher (PPE) and Working Threads (WTs) to sleep.
|
||
|
|
Shows the status and configuration of the feature. The output shows these lines with the applicable values:
|
||
|
|
Configures the synchronous flow mode. In this mode, CoreXL Firewall instances do not send jobs to the PPE.
|
||
|
|
Wakes up the Job Dispatcher (PPE) and Working Threads (WTs) from sleep. The PPE gets CPU cores available for allocation. |
Monitoring in CPView
You can monitor how the HyperFlow performs on the Security Gateway.
Viewing if HyperFlow is enabled or disabled
-
Go to CPU > Advanced
-
If the tab Hyperflow appears, it means HyperFlow is enabled
Viewing if HyperFlow is active or sleeping
-
Go to CPU > Advanced > Hyperflow > Overview
-
Examine the field PPE_MGR state
Viewing the allocation of CPU cores
-
Go to CPU > Overview > Host
-
Examine the last section CPU (pay attention to the column Idle)
Viewing the CPU load from specific elephant connections
-
On the Security Gateway, examine the elephant connections in the past 24 hours and which CoreXL Firewall instance inspects them (see the "
[fw_<Number>]" in the beginning of each line):fw ctl multik print_heavy_connExample:
;[fw_5]: Conn: 192.168.10.20:60478 -> 172.30.40.50:80 IPP: 6; Instance load: 63%; Connection instance load: 99%; ...<truncated>... -
In CPView, go to CPU > Top-Connections > Instances<X>-<Y> (for example, Instances0-5) > Instance<Z> (for example, Instance5)
-
In the last section Top Connections, examine the columns "% out of CPU" and "% out of WT CPU"
Example (this is only the applicable part of the output):
Top Connections Connection Protocol % out of CPU % out of WT CPU 192.168.10.20:60478 -> 172.30.40.50:80 TCP:http 70.81% 48.97%
Viewing the status of the PPE
-
Go to Advanced > HyperFlow > Overview > PPE_0
-
Click the applicable tab
-
Examine these sections:
Section
Gauge
Description
PPE overview
PPE state
Shows the state of the feature - Active or Asleep
Pipeline status
Free
The number of free slots in the pipeline (maximum is 320)
Active
Slots that PPE is currently using
Job pending
Slots whose execution depends on another job
Slot pending
Jobs whose execution depends on an available slot in the pipeline
Overload indicators
No pipeline entry
PPE_MGR had no free slots in the pipeline
WT slot unavailable
The WTs have no available slots
Viewing the PPE messages from the Firewall
-
Go to Advanced > HyperFlow > Firewall-messages
-
Examine these sections:
Section
Gauge
Description
Sessions and data
New session
Number of new opened sessions
Update session
Number of updated session (for example, because of policy installation)
End session
Number of sessions that ended
Current session
Number of currently opened sessions
Data
Number of received data buffers
Errors
Various internal PPE errors
Messages received in a single read loop (Histogram)
In each loop, the PPE_MGR can read up to 32 items from the receiving queue.
This section shows a histogram of the times the PPE_MGR read items from the queue and how many were "waiting" in the queue (up to 32)
Viewing the number of jobs and their execution time
-
Go to Advanced > HyperFlow > Jobs > PPE
-
Examine these sections:
-
Sent to firewall (count)
-
Average execution time (Cycles)
-
Viewing the queue utilization
-
Go to Advanced > HyperFlow > Comm > PPE
-
Examine these sections:
-
Enqueue
-
Dequeue
-
Viewing the number and state of Worker Threads
-
Go to Advanced > HyperFlow > WT
-
Examine these rows:
-
Number of WTs
-
Worker ID State
-
Limitations
-
Firewall in Kernel Mode (KFW) is not supported.
-
Open Servers and Virtual Machines are not supported.
-
Cloud platforms are not supported.
-
HyperFlow is not supported when the Security Gateway / Cluster is configured to work as an HTTP/HTTPS Proxy.
-
When an elephant connection triggers the HyperFlow, the outputs of the "
top" and "ps" commands may show that the HyperFlow user space processes consume some CPU cores at 99-100%.This happens because HyperFlow is constantly polling its queues to handle the incoming jobs. After the elephant connection closes, the output of these commands shows that the user space "
us" consumption goes back to regular levels because HyperFlow stops processing the jobs.To see the actual load on the CPU, use CPView (
CPU>Overview>Host), SNMP, or SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..This does not trigger inspection bypass because of a high CPU load.
-
When the HyperFlow feature is enabled, the speed of an elephant flow may not increase in these cases:
-
This is a complex connection that requires special parsers – CIFS, SMB, FTP, SCP, VoIP
-
This connection undergoes the Content Awareness
Check Point Software Blade on a Security Gateway that provides data visibility and enforcement. See sk119715. Acronym: CTNT. or a Data Loss Prevention Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. policy -
This connection has dynamic content and goes through the Pattern Matcher 1st tier
-
Strict Hold is enabled (the
$FWDIR/conf/malware_configfile on the Security Gateway contains "strict_hold_enable=1") -
This connection is HTTPS and the HTTPS Inspection is disabled
-
-
When you enable only the Firewall Software Blade in the Security Gateway object, the HyperFlow feature does not improve the performance.
This is because SecureXL accelerates connections that do not undergo the inspection, while the HyperFlow accelerates connections that undergo the inspection by various Software Blades.
Troubleshooting
-
Log files (the main file is rotated every 10 megabytes):
-
$FWDIR/log/dsd.elg -
$FWDIR/log/dmd.elg -
$FWDIR/log/dmd_controller.elg -
$FWDIR/log/connection_pipelining.elg
-
-
Internal configuration files (you must not edit these files):
-
$FWDIR/conf/connection_pipelining.conf -
$FWDIR/conf/connection_pipelining_params.conf
-
For additional information, see sk178070.