Check Point Virtual Systems

Check Point Virtual
Systems: Consolidation,
Virtualization, Security

Ayelet Shenderov
Cfear Kimhi
CPX 2013
[Protected] For public distribution

©2013 Check Point Software Technologies Ltd.

Agenda

1

Overview

2

Dive into Memory, CPU and Clustering

3

Performance and Scalability



2

Overview


What’s New in Virtual Systems

Next Generation Virtual System:
Software Blades security now available with
Virtual Systems on Check Point Appliance
All Software Blades on
Every Virtual System

Simplify and
Consolidate

Boosting
Performance

VSLS
Check Point

Leveraging existing management solutions


4

Software Blades for Virtual Systems
Firewall

IPS

Identity
Application
Awareness
Control

URL
Filtering

Antivirus

Anti-Bot

Mobile
Access*

Software Blades on Virtual Systems

… and Open Servers

Virtual System on Any Platform

Software Blade Security on Every Virtual System
* SSL VPN available in later release


5

Performance Boost and Scalability

Check Point

High
Connection
Capacity

 8X concurrent connections with 64-bit
GAiA OS
 Advanced routing options with multiple
routing and multicasting protocols

 Check Point CoreXL technology
Multi-Core
 Enhanced deep packet inspection
Performance
throughput with security acceleration

Linear
Scalability

 Patented VSLS technology
 Scale up to 12 cluster members



6

61000 Virtual Systems Support

FW

IA

VPN

ADNC

MOB

IPS

APCL

URLF

AV

AB

Consolidate Gateways with Virtual Systems
Customized per-VS Software Blade Security

IPS

IPS

*DLP is not supported in VS mode
(only available in physical security GW mode)

VPN

AV

Anti-Bot

IA

APCL

URLF


AV


7

New R76 Release
Unlimited number of IP addresses
(billion billion billion times more addresses)

Unique device
identity

Zero cost
addresses

Support billions
of new devices!



8

Memory
Consumption and Monitoring



9

Use Case – Before
IP 530 cluster

 0.2 Gbps throughput
 5K concurrent connections

IP 650 cluster

IP 380 cluster





10

Use Case – With Virtual Systems
VS-1

 IPS and VPN

VS-2

VS-3

 IPS, Anti-Virus and Anti-Bot

 IPS, AppControl and URLF



11

Use Case – with VS – Memory
VS-1

 IPS + VPN = 77MB
 5K Connection = 11MB

System
Memory

VSO
500

=

+

VS1
77+11

+

VS2
115+105

+

VS3
90+53

=

951MB

=
VS-2

VS-3

 IPS + AV + AB = 115MB
 10K connection = 105MB


 IPS + APPI+URLF = 90MB
 5K Connection = 53MB


12

Monitoring Memory Resources
 “fw vsx mstat” command shows an overview of the memory that the system
and each Virtual System is using.
 Global memory resources shown:
– Memory Total – Total physical memory on the Gateway
– Memory Free – Available physical memory
– Swap Total – Total of swap memory
– Swap Free – Available swap memory
– Swap-in Rate – Total memory swaps per second
[Expert@gizamem1:0]# fw vsx mstat

Things to notice:
 Memory free is not enough for
the needed growth
 Swap-in rate higher than 0
over time

VSX Memory Status
=================
Memory Total: 1007.72 MB
Memory Free: 539.29 MB
Swap Total: 2047.34 MB
Swap Free: 2047.34 MB
Swap-in rate: 0.00 MB

VSID | Memory Consumption
======+====================
0 |
186.63 MB
1 |
31.48 MB
2 |
81.66 MB
3 |
48.40 MB



13

Memory Monitoring Demo
[Expert@gizamem1:0]# fw vsx
mstat

[Expert@gizamem1:0]# fw vsx
mstat

VSX Memory Status
=================

VSX Memory Status
=================

======+====================
0 |
213.73 MB
1 |
30.79 MB
2 |
60.69 MB
3 |
62.22 MB

======+====================
0 |
215.33 MB
1 |
30.79 MB
2 |
87.47 MB
3 |
62.65 MB

[Expert@gizamem1:0]#


2 Virtual Systems – Firewall only


2 Virtual Systems – 1 Firewall only
1 IPS recommended,
Application Control, URL Filtering

14

CPU
CoreXL, Affinity and Monitoring



15

CoreXL per VS
 CoreXL increases the performance
of the physical appliance with the ability to utilize multiple
cores. It creates multiple firewall instances and allows to
increase medium and slow path throughput.

 CoreXL configuration is set per VS
– If possible,
allocate separate
cores for the
SNDs and FWK



16

CPU Resources
 Monitoring
– Provides real-time information on the present and average
CPU consumption by the Virtual Systems using SNMP and cli
– The calculations were adapted to support multiple Virtual
Systems running on multiple cores

 Allocation
– New option in „fw ctl affinity‟ to support Virtual Systems
and/or single VS instances
– Have maximum flexibility with core allocation per
Virtual System or per specific process or thread
Note: CPU Resource Control enforcement is not supported yet


17

Demo of CoreXL and affinity
VS3 has 1 CoreXL instance and is configured with an out of box affinity
Fwk can run on either one of cores 1-3
[Expert@gizamem1:0]# fw ctl affinity -l -x -vsid 3 -flags tne
--------------------------------------------------------------------|PID
|VSID |
CPU
|SRC|V|KT |EXC|
--------------------------------------------------------------------|
5394 |
3 |
all |
| |
|
|
|
5397 |
3 |
all |
| |
|
|
|
5612 |
3 |
all |
| |
|
|
|
5630 |
3 |
all |
| |
|
|
|
5631 |
3 |
all |
| |
|
|
|
5399 |
3 |
all |
| |
|
|
|
5608 |
3 |
all |
| |
|
|
|
5609 |
3 |
all |
| |
|
|
|
5610 |
3 |
all |
| |
|
|
|
5611 |
3 |
all |
| |
|
|
|
5788 |
3 |
all |
| |
|
|
|
5406 |
3 |
1 2 3 | P | |
|
|
|
5437 |
3 |
1 2 3 | P | |
|
|
|
5438 |
3 |
1 2 3 | P | |
|
|
|
5431 |
3 |
all |
| |
|
|
|
6003 |
3 |
all |
| |
|
|
|
6012 |
3 |
all |
| |
|
|
|
6337 |
3 |
all |
| |
|
|
---------------------------------------------------------------------


NAME
fwk_wd
cpd
|---cpd
|---cpd
|---cpd
fw
|---fw
|---fw
|---fw
|---fw
|---fw
fwk3_dev
|---fwk3_0
|---fwk3_hp
mpdaemon
cphamcset
|---cphamcset
routed


18

VS3 has 3 CoreXL instance and is configured with an out of box affinity
Fwk can run on either one of cores 1-3
--------------------------------------------------------------------|PID
|VSID |
CPU
|SRC|V|KT |EXC|
--------------------------------------------------------------------|
5127 |
3 |
all |
| |
|
|
|
5140 |
3 |
all |
| |
|
|
|
5263 |
3 |
1 2 3 | P | |
|
|
|
5269 |
3 |
1 2 3 | P | |
|
|
|
5270 |
3 |
1 2 3 | P | |
|
|
|
5271 |
3 |
1 2 3 | P | |
|
|
|
5272 |
3 |
1 2 3 | P | |
|
|
|
5363 |
3 |
all |
| |
|
|
|
5396 |
3 |
all |
| |
|
|
|
5399 |
3 |
all |
| |
|
|
|
5400 |
3 |
all |
| |
|
|
|
5386 |
3 |
all |
| |
|
|
|
5443 |
3 |
all |
| |
|
|
|
5444 |
3 |
all |
| |
|
|
|
5445 |
3 |
all |
| |
|
|
|
5448 |
3 |
all |
| |
|
|
|
6109 |
3 |
all |
| |
|
|
|
5549 |
3 |
all |
| |
|
|
|
5578 |
3 |
all |
| |
|
|
|
6337 |
3 |
all |
| |
|
|
---------------------------------------------------------------------


NAME
fwk_wd
mpdaemon
fwk3_dev
|---fwk3_0
|---fwk3_1
|---fwk3_2
|---fwk3_hp
cpd
|---cpd
|---cpd
|---cpd
fw
|---fw
|---fw
|---fw
|---fw
|---fw
cphamcset
|---cphamcset
routed


19

VS3 has 3 CoreXL instance and is configured with static affinity set by
1. vsenv 3
2. fw ctl affinity -s -d -inst 1 -cpu 2
Fwk3 instance 1 can run on cpu 2 only
--------------------------------------------------------------------|PID
|VSID |
CPU
|SRC|V|KT |EXC|
--------------------------------------------------------------------|
5127 |
3 |
all |
| |
|
|
|
5140 |
3 |
all |
| |
|
|
|
5263 |
3 |
1 2 3 | P | |
|
|
|
5269 |
3 |
1 2 3 | P | |
|
|
|
5270 |
3 |
2 | I | |
|
|
|
5271 |
3 |
1 2 3 | P | |
|
|
|
5272 |
3 |
1 2 3 | P | |
|
|
|
5363 |
3 |
all |
| |
|
|
|
5396 |
3 |
all |
| |
|
|
|
5399 |
3 |
all |
| |
|
|
|
5400 |
3 |
all |
| |
|
|
|
5386 |
3 |
all |
| |
|
|
|
5443 |
3 |
all |
| |
|
|
|
5444 |
3 |
all |
| |
|
|
|
5445 |
3 |
all |
| |
|
|
|
5448 |
3 |
all |
| |
|
|
|
6109 |
3 |
all |
| |
|
|
|
5549 |
3 |
all |
| |
|
|
|
5578 |
3 |
all |
| |
|
|
|
6337 |
3 |
all |
| |
|
|
|
8307 |
3 |
all |
| |
|
|
--------------------------------------------------------------------[Protected] For public distribution

NAME
fwk_wd
mpdaemon
fwk3_dev
|---fwk3_0
|---fwk3_1
|---fwk3_2
|---fwk3_hp
cpd
|---cpd
|---cpd
|---cpd
fw
|---fw
|---fw
|---fw
|---fw
|---fw
cphamcset
|---cphamcset
routed
fw


20

How to Optimize Your CPU Utilization
In addition to the usual optimizations there are several VS
specific optimizations:

1. If there is a lot of traffic going through the medium and the
slow path – consider adding more CoreXL instances
where required

2. Assign dedicated cores to this VS using „fw ctl affinity‟
3. Use VSLS and distribute the VSs better to suit traffic load
4. Add more members to the VSLS cluster



21

Clustering ‒ VSLS



22

Use Case – Merger
Allows gradual
consolidation and
reorganization

Add more
Virtual Systems
as required



23

Virtual System Load Sharing
 Distributes Virtual Systems
between different gateways

 Sync
– VS in Backup is not synced
– Sync only between Active &
Standby (unicast sync)

 VS distribution
– Performed automatically or
manually (vsx_util
redistribute_vsls)
– Depends on priorities and
weights
SYNC



24

VSLS
 The performance throughput parameters are increased
linearly with VSLS. Example:
Single 12600

VSLS 12600*2

30Gbps

54.0Gbps

IPS Throughput

5Gbps

9.8Gbps

VPN Throughput

7Gbps

12.5Gbps

Firewall
Throughput

 VSLS allows gradual growth
– Deploy 2 members now and add more later

 Support of up to 12 cluster members



25

Other Highlights
 Monitor MIBs per Virtual System, using SNMPv3
– Allows querying information per VS including networking MIB
– Two modes of SNMP monitoring
• Default mode – monitors VS0 only
• VS mode – supports SNMP monitoring per each VS

 SmartView Monitor
– Support per VS and system monitoring

 Multi-Queue
– Multi-queue lets you configure more than one traffic queue
for each network interface. This means more than one CPU
can be used for acceleration.

 Hit-Count
– Hit Count tracks the number of connections that each
rule matches


26

Performance and
Scalability


Major Performance Aspects
Comparing to Comparing to R75.40VS
VSX R67
in Physical mode (SG)
Firewall Throughput

Better

Same

IPS DFS throughput

Better

Same

VPN throughput

Same

Same

Real world traffic
(IPS/AppControl/NAT/Logs)

Better

Same*

Concurrent connections

Better

Same**

Maximum number of
Virtual Systems

Lower

N/A

* Depends on the number of VS.
** Requires 2-4 VSs to reach the best number. Depends on the RAM size.



28

How to Calculate the SPU

VS1
SPU

VS0
SPU
VS2
SPU

 Aggregate all the SPUs
of each Virtual System

 Use the table of the
number of Virtual
Systems influence per
appliance

Required SPU without
virtualization influence
VS0 that is used for management only is 10 SPUs


29

Use Case – with VS – SPU
VS-1

 IPS, VPN

Total
SPUs

VS0
10

=

+

VS1
68

+

VS2
661

+

VS3
185

=

Required
924

=
VS-2
VS-3
12600 (1861 SPUs) would be a good choice

 IPS, AV, AB

 IPS, APPI, URLF

4 Virtual Systems do not change this recommendation


30

Check Point Virtual Systems
Based on industry proven VSX solution
Allows Security Gateway Consolidation
Allows Gradual Growth
Provides Superior Performance and Stability

Simplifies Security with Virtualization



31

Questions?



32

Thank You



33

Check Point Virtual Systems

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Check Point Virtual Systems

Similar to Check Point Virtual Systems (20)

More from Group of company MUK

More from Group of company MUK (20)

Recently uploaded

Recently uploaded (20)

Check Point Virtual Systems

Editor's Notes