2 most important things that you need to rememberThis is the evolution of the VSX product. We have been doing virtualization for more than 10 year. We are good at it and this is the best version ever There is no more VSX releases. From now on Virtualization is a part of all Main Train release. Each Check Point main train can run in 2 modes. Either Virtual or physical.Software Blade Architecture are now supported on VS – customized protection with different Software Blades on each Virtual System Lower TCO by consolidating multiple physical gateways into a virtualized environment, and simplify the security management and provisioning at the same time More connection capacity and security throughput with 64-bit GAiA OS, higher throughput performance with multi-core (CoreXL) technology, linear scalability with VSLS
Performance and scalability increased dramatically.
Now with IPv6 we can easily meet the challenge
Enterprise is refreshing its Perimeter and Datacenter security gatewaysToday enterprise perimeter securityUsing Cluster of IP appliances securing the internet accessUsing VPN solution for remote accessUsing Websense for URL filtering With VSs, Customer can use One VS for Perimeter Security, One VS for VPN remote access and One VS for URL Filtering and Application Control
This is how you calculate the overall memory consumption of the system. When choosing an appliance you should be aware of thisVS0 – 500MBVS1 – IPS, VPNVS2 – IPS, AV, ABVS3 – IPS, APPI, URLF
Lets have a short demo that talked about memory in our systemHere we see a system where a Virtual Switch is configured and 2 Virtual Systems.As you can see Virtual switch also has memory consumptionFirst lets start by Firewall only configuration on both Virtual SystemsNow lets activate some blades on Virtual System with VSID 2As you can see the impact is seen on this Virtual System onlys
Lets talk about CoreXL. CoreXL allows you to use multiple cores for handling of medium and slow path traffic.More CoreXL instances will not improve fast path performance.In our case, you can configure coreXL per Virtual System. You can have a different number of CoreXL instances in each Virtual SystemIt is configured in the SDBEach instance that you create uses additional system memory. A Virtual System with five instances would use approximately the same amount of memory as five separate Virtual Systems.
Additional important tool for health monitoring is CPU resource control. At this point we only support monitoring of CPU resources and not control of these resources
This is a demo of CoreXL and Fwctl affinity utilityThis is the same configuration as before.We are looking on Virtual System 3 that has 1 CoreXL instance and has and out of box affinityWe can see here all the processes that belong to this Virtual SystemFwk is the process that runs the firewall inspection code. FWK has 2 threads that are always present
We now configured 3 CoreXL instances to VS3 and we now see 2 new threads _1 and _2.The default affinity is still – run on all CPUs
Now using the affinity command we can nail specific instance of a VS or the entire VS to a specific core