Elephant flows are large (in total number of bytes) continuous connections that the TCP or UDP establishes.

For example, a download of a large file (such as a Linux ISO file) over the HTTP, HTTPS, FTP, or NFS protocol.

These large continuous connections consume the network capacity significantly in comparison to other types of data sessions.

Without the HyperFlow feature, a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. uses only one CPU core (one CoreXLClosed Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. Firewall instance) to inspect one elephant connection. In addition, traffic throughput decreases gradually as the CPU utilization increases on the Security Gateway.

The HyperFlow feature on Security Gateways R81.20 and higher handles such elephant connections on more than one CPU core in parallel.

The HyperFlow feature breaks the whole inspection task into smaller tasks and dispatches these smaller tasks to the available CPU cores:

The tasks without the HyperFlow

The tasks with the HyperFlow

  1. Packet retrieval

  2. Inbound Streaming

  3. Protocol parsers

  4. Context Management InterfaceClosed (1) Interface on a Gaia Security Gateway or Cluster member, through which Management Server connects to the Security Gateway or Cluster member. (2) Interface on Gaia computer, through which users connect to Gaia Portal or CLI. / Infrastructure (CMI)

  5. Pattern Match (PM) and Hash (MD5, SHA)

  6. Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. logic

  7. Outbound Streaming

  8. Routing

  9. Packet transmission

  1. Inbound processing in CoreXL Firewall:

    1. Packet retrieval

    2. Inbound Streaming

    3. Protocol parsers

    4. Context Management Interface / Infrastructure (CMI)

  2. Internal PPE processing (on many CPU cores):

    1. Pattern Match (PM) and Hash (MD5, SHA)

    2. Packet transmission

  3. Outbound processing in CoreXL Firewall:

    1. Software Blade logic

    2. Outbound Streaming

    3. Routing

As a result, the HyperFlow feature:

  • Increases throughput of elephant connections when Threat Prevention Software Blades are enabled (the Security Gateway takes less time to inspect elephant connections).

    This is possible only if the network infrastructure is not a "bottleneck".

  • Automatically detects and dynamically allocates the CPU cores between main tasks on a Security Gateway.

  • Improves response time from the CoreXL FWK processes while they inspects elephant connections (the idle time of the corresponding CPU cores increases).


  • By default, the HyperFlow feature is enabled on Check Point Appliances that meet the requirements.

  • By design, the HyperFlow feature works only in the User Space Firewall (USFW).

  • By design, the HyperFlow feature engages only when needed, and when the total CPU load allows it.

    The total throughput has priority over elephant connections.


  • By design, a manual allocation of CPU cores is not necessary. Therefore, it is not possible.

    You can configure thresholds to control when HyperFlow is active or passive.

  • By default, HyperFlow works in the standby mode.

    HyperFlow is triggered (becomes active) when a heavy connection is detected.

    HyperFlow becomes passive when the heavy connection is closed.

For additional information, see:

Watch the video: