Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Check Point Virtual
Systems: Consolidation,
Virtualization, Security

Ayelet Shenderov
Cfear Kimhi
CPX 2013
[Protected] Fo...
Agenda

1

Overview

2

Dive into Memory, CPU and Clustering

3

Performance and Scalability

[Protected] For public distr...
Overview

[Protected] For public distribution
What’s New in Virtual Systems

Next Generation Virtual System:
Software Blades security now available with
Virtual Systems...
Software Blades for Virtual Systems
Firewall

IPS

Identity
Application
Awareness
Control

URL
Filtering

Antivirus

Anti-...
Performance Boost and Scalability

Check Point

High
Connection
Capacity

 8X concurrent connections with 64-bit
GAiA OS
...
61000 Virtual Systems Support

FW

IA

VPN

ADNC

MOB

IPS

APCL

URLF

AV

AB

Consolidate Gateways with Virtual Systems
...
New R76 Release
Unlimited number of IP addresses
(billion billion billion times more addresses)

Unique device
identity

Z...
Memory
Consumption and Monitoring

[Protected] For public distribution

©2013 Check Point Software Technologies Ltd.

9
Use Case – Before
IP 530 cluster

 0.2 Gbps throughput
 5K concurrent connections

IP 650 cluster

IP 380 cluster

 0.3...
Use Case – With Virtual Systems
VS-1

 0.1 Gbps throughput
 5K concurrent connections
 IPS and VPN

VS-2

VS-3

 0.5 G...
Use Case – with VS – Memory
VS-1

 IPS + VPN = 77MB
 5K Connection = 11MB

System
Memory

VSO
500

=

+

VS1
77+11

+

V...
Monitoring Memory Resources
 “fw vsx mstat” command shows an overview of the memory that the system
and each Virtual Syst...
Memory Monitoring Demo
[Expert@gizamem1:0]# fw vsx
mstat

[Expert@gizamem1:0]# fw vsx
mstat

VSX Memory Status
===========...
CPU
CoreXL, Affinity and Monitoring

[Protected] For public distribution

©2013 Check Point Software Technologies Ltd.

15
CoreXL per VS
 CoreXL increases the performance
of the physical appliance with the ability to utilize multiple
cores. It ...
CPU Resources
 Monitoring
– Provides real-time information on the present and average
CPU consumption by the Virtual Syst...
Demo of CoreXL and affinity
VS3 has 1 CoreXL instance and is configured with an out of box affinity
Fwk can run on either ...
Demo of CoreXL and affinity
VS3 has 3 CoreXL instance and is configured with an out of box affinity
Fwk can run on either ...
Demo of CoreXL and affinity
VS3 has 3 CoreXL instance and is configured with static affinity set by
1. vsenv 3
2. fw ctl a...
How to Optimize Your CPU Utilization
In addition to the usual optimizations there are several VS
specific optimizations:

...
Clustering ‒ VSLS

[Protected] For public distribution

©2013 Check Point Software Technologies Ltd.

22
Use Case – Merger
Allows gradual
consolidation and
reorganization

Add more
Virtual Systems
as required

[Protected] For p...
Virtual System Load Sharing
 Distributes Virtual Systems
between different gateways

 Sync
– VS in Backup is not synced
...
VSLS
 The performance throughput parameters are increased
linearly with VSLS. Example:
Single 12600

VSLS 12600*2

30Gbps...
Other Highlights
 Monitor MIBs per Virtual System, using SNMPv3
– Allows querying information per VS including networking...
Performance and
Scalability

[Protected] For public distribution
Major Performance Aspects
Comparing to Comparing to R75.40VS
VSX R67
in Physical mode (SG)
Firewall Throughput

Better

Sa...
How to Calculate the SPU

VS1
SPU

VS0
SPU
VS2
SPU

 Aggregate all the SPUs
of each Virtual System

 Use the table of th...
Use Case – with VS – SPU
VS-1

 IPS, VPN
 0.1 Gbps throughput

Total
SPUs

VS0
10

=

+

VS1
68

+

VS2
661

+

VS3
185
...
Check Point Virtual Systems
Based on industry proven VSX solution
Allows Security Gateway Consolidation
Allows Gradual Gro...
Questions?

[Protected] For public distribution

©2013 Check Point Software Technologies Ltd.

32
Thank You

[Protected] For public distribution

©2013 Check Point Software Technologies Ltd.

33
Upcoming SlideShare
Loading in …5
×

Check Point Virtual Systems

6,550 views

Published on

Check Point Virtual Systems: Consolidation, Virtualization, Security

Published in: Technology
  • Be the first to comment

Check Point Virtual Systems

  1. 1. Check Point Virtual Systems: Consolidation, Virtualization, Security Ayelet Shenderov Cfear Kimhi CPX 2013 [Protected] For public distribution ©2013 Check Point Software Technologies Ltd.
  2. 2. Agenda 1 Overview 2 Dive into Memory, CPU and Clustering 3 Performance and Scalability [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 2
  3. 3. Overview [Protected] For public distribution
  4. 4. What’s New in Virtual Systems Next Generation Virtual System: Software Blades security now available with Virtual Systems on Check Point Appliance All Software Blades on Every Virtual System Simplify and Consolidate Boosting Performance VSLS Check Point Leveraging existing management solutions [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 4
  5. 5. Software Blades for Virtual Systems Firewall IPS Identity Application Awareness Control URL Filtering Antivirus Anti-Bot Mobile Access* Software Blades on Virtual Systems … and Open Servers Virtual System on Any Platform Software Blade Security on Every Virtual System * SSL VPN available in later release [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 5
  6. 6. Performance Boost and Scalability Check Point High Connection Capacity  8X concurrent connections with 64-bit GAiA OS  Advanced routing options with multiple routing and multicasting protocols  Check Point CoreXL technology Multi-Core  Enhanced deep packet inspection Performance throughput with security acceleration Linear Scalability  Patented VSLS technology  Scale up to 12 cluster members [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 6
  7. 7. 61000 Virtual Systems Support FW IA VPN ADNC MOB IPS APCL URLF AV AB Consolidate Gateways with Virtual Systems Customized per-VS Software Blade Security IPS IPS *DLP is not supported in VS mode (only available in physical security GW mode) VPN AV Anti-Bot IA APCL URLF [Protected] For public distribution AV ©2013 Check Point Software Technologies Ltd. 7
  8. 8. New R76 Release Unlimited number of IP addresses (billion billion billion times more addresses) Unique device identity Zero cost addresses Support billions of new devices! [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 8
  9. 9. Memory Consumption and Monitoring [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 9
  10. 10. Use Case – Before IP 530 cluster  0.2 Gbps throughput  5K concurrent connections IP 650 cluster IP 380 cluster  0.3 Gbps throughput  10K concurrent connections [Protected] For public distribution  0.2 Gbps throughput  5K concurrent connections ©2013 Check Point Software Technologies Ltd. 10
  11. 11. Use Case – With Virtual Systems VS-1  0.1 Gbps throughput  5K concurrent connections  IPS and VPN VS-2 VS-3  0.5 Gbps throughput  10K concurrent connections  IPS, Anti-Virus and Anti-Bot  0.5 Gbps throughput  5K concurrent connections  IPS, AppControl and URLF [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 11
  12. 12. Use Case – with VS – Memory VS-1  IPS + VPN = 77MB  5K Connection = 11MB System Memory VSO 500 = + VS1 77+11 + VS2 115+105 + VS3 90+53 = 951MB = VS-2 VS-3  IPS + AV + AB = 115MB  10K connection = 105MB [Protected] For public distribution  IPS + APPI+URLF = 90MB  5K Connection = 53MB ©2013 Check Point Software Technologies Ltd. 12
  13. 13. Monitoring Memory Resources  “fw vsx mstat” command shows an overview of the memory that the system and each Virtual System is using.  Global memory resources shown: – Memory Total – Total physical memory on the Gateway – Memory Free – Available physical memory – Swap Total – Total of swap memory – Swap Free – Available swap memory – Swap-in Rate – Total memory swaps per second [Expert@gizamem1:0]# fw vsx mstat Things to notice:  Memory free is not enough for the needed growth  Swap-in rate higher than 0 over time VSX Memory Status ================= Memory Total: 1007.72 MB Memory Free: 539.29 MB Swap Total: 2047.34 MB Swap Free: 2047.34 MB Swap-in rate: 0.00 MB VSID | Memory Consumption ======+==================== 0 | 186.63 MB 1 | 31.48 MB 2 | 81.66 MB 3 | 48.40 MB [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 13
  14. 14. Memory Monitoring Demo [Expert@gizamem1:0]# fw vsx mstat [Expert@gizamem1:0]# fw vsx mstat VSX Memory Status ================= Memory Total: 2022.96 MB Memory Free: 1527.84 MB Swap Total: 2047.34 MB Swap Free: 2047.34 MB Swap-in rate: 0.00 MB VSX Memory Status ================= Memory Total: 2022.96 MB Memory Free: 1496.03 MB Swap Total: 2047.34 MB Swap Free: 2047.34 MB Swap-in rate: 0.00 MB VSID | Memory Consumption ======+==================== 0 | 213.73 MB 1 | 30.79 MB 2 | 60.69 MB 3 | 62.22 MB VSID | Memory Consumption ======+==================== 0 | 215.33 MB 1 | 30.79 MB 2 | 87.47 MB 3 | 62.65 MB [Expert@gizamem1:0]# [Expert@gizamem1:0]# 2 Virtual Systems – Firewall only [Protected] For public distribution 2 Virtual Systems – 1 Firewall only 1 IPS recommended, Application Control, URL Filtering ©2013 Check Point Software Technologies Ltd. 14
  15. 15. CPU CoreXL, Affinity and Monitoring [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 15
  16. 16. CoreXL per VS  CoreXL increases the performance of the physical appliance with the ability to utilize multiple cores. It creates multiple firewall instances and allows to increase medium and slow path throughput.  CoreXL configuration is set per VS – If possible, allocate separate cores for the SNDs and FWK [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 16
  17. 17. CPU Resources  Monitoring – Provides real-time information on the present and average CPU consumption by the Virtual Systems using SNMP and cli – The calculations were adapted to support multiple Virtual Systems running on multiple cores  Allocation – New option in „fw ctl affinity‟ to support Virtual Systems and/or single VS instances – Have maximum flexibility with core allocation per Virtual System or per specific process or thread Note: CPU Resource Control enforcement is not supported yet [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 17
  18. 18. Demo of CoreXL and affinity VS3 has 1 CoreXL instance and is configured with an out of box affinity Fwk can run on either one of cores 1-3 [Expert@gizamem1:0]# fw ctl affinity -l -x -vsid 3 -flags tne --------------------------------------------------------------------|PID |VSID | CPU |SRC|V|KT |EXC| --------------------------------------------------------------------| 5394 | 3 | all | | | | | | 5397 | 3 | all | | | | | | 5612 | 3 | all | | | | | | 5630 | 3 | all | | | | | | 5631 | 3 | all | | | | | | 5399 | 3 | all | | | | | | 5608 | 3 | all | | | | | | 5609 | 3 | all | | | | | | 5610 | 3 | all | | | | | | 5611 | 3 | all | | | | | | 5788 | 3 | all | | | | | | 5406 | 3 | 1 2 3 | P | | | | | 5437 | 3 | 1 2 3 | P | | | | | 5438 | 3 | 1 2 3 | P | | | | | 5431 | 3 | all | | | | | | 6003 | 3 | all | | | | | | 6012 | 3 | all | | | | | | 6337 | 3 | all | | | | | --------------------------------------------------------------------- [Protected] For public distribution NAME fwk_wd cpd |---cpd |---cpd |---cpd fw |---fw |---fw |---fw |---fw |---fw fwk3_dev |---fwk3_0 |---fwk3_hp mpdaemon cphamcset |---cphamcset routed ©2013 Check Point Software Technologies Ltd. 18
  19. 19. Demo of CoreXL and affinity VS3 has 3 CoreXL instance and is configured with an out of box affinity Fwk can run on either one of cores 1-3 [Expert@gizamem1:0]# [Expert@gizamem1:0]# fw ctl affinity -l -x -vsid 3 -flags tne --------------------------------------------------------------------|PID |VSID | CPU |SRC|V|KT |EXC| --------------------------------------------------------------------| 5127 | 3 | all | | | | | | 5140 | 3 | all | | | | | | 5263 | 3 | 1 2 3 | P | | | | | 5269 | 3 | 1 2 3 | P | | | | | 5270 | 3 | 1 2 3 | P | | | | | 5271 | 3 | 1 2 3 | P | | | | | 5272 | 3 | 1 2 3 | P | | | | | 5363 | 3 | all | | | | | | 5396 | 3 | all | | | | | | 5399 | 3 | all | | | | | | 5400 | 3 | all | | | | | | 5386 | 3 | all | | | | | | 5443 | 3 | all | | | | | | 5444 | 3 | all | | | | | | 5445 | 3 | all | | | | | | 5448 | 3 | all | | | | | | 6109 | 3 | all | | | | | | 5549 | 3 | all | | | | | | 5578 | 3 | all | | | | | | 6337 | 3 | all | | | | | --------------------------------------------------------------------- [Protected] For public distribution NAME fwk_wd mpdaemon fwk3_dev |---fwk3_0 |---fwk3_1 |---fwk3_2 |---fwk3_hp cpd |---cpd |---cpd |---cpd fw |---fw |---fw |---fw |---fw |---fw cphamcset |---cphamcset routed ©2013 Check Point Software Technologies Ltd. 19
  20. 20. Demo of CoreXL and affinity VS3 has 3 CoreXL instance and is configured with static affinity set by 1. vsenv 3 2. fw ctl affinity -s -d -inst 1 -cpu 2 Fwk3 instance 1 can run on cpu 2 only [Expert@gizamem1:3]# fw ctl affinity -l -x -vsid 3 -flags tne --------------------------------------------------------------------|PID |VSID | CPU |SRC|V|KT |EXC| --------------------------------------------------------------------| 5127 | 3 | all | | | | | | 5140 | 3 | all | | | | | | 5263 | 3 | 1 2 3 | P | | | | | 5269 | 3 | 1 2 3 | P | | | | | 5270 | 3 | 2 | I | | | | | 5271 | 3 | 1 2 3 | P | | | | | 5272 | 3 | 1 2 3 | P | | | | | 5363 | 3 | all | | | | | | 5396 | 3 | all | | | | | | 5399 | 3 | all | | | | | | 5400 | 3 | all | | | | | | 5386 | 3 | all | | | | | | 5443 | 3 | all | | | | | | 5444 | 3 | all | | | | | | 5445 | 3 | all | | | | | | 5448 | 3 | all | | | | | | 6109 | 3 | all | | | | | | 5549 | 3 | all | | | | | | 5578 | 3 | all | | | | | | 6337 | 3 | all | | | | | | 8307 | 3 | all | | | | | --------------------------------------------------------------------[Protected] For public distribution NAME fwk_wd mpdaemon fwk3_dev |---fwk3_0 |---fwk3_1 |---fwk3_2 |---fwk3_hp cpd |---cpd |---cpd |---cpd fw |---fw |---fw |---fw |---fw |---fw cphamcset |---cphamcset routed fw ©2013 Check Point Software Technologies Ltd. 20
  21. 21. How to Optimize Your CPU Utilization In addition to the usual optimizations there are several VS specific optimizations: 1. If there is a lot of traffic going through the medium and the slow path – consider adding more CoreXL instances where required 2. Assign dedicated cores to this VS using „fw ctl affinity‟ 3. Use VSLS and distribute the VSs better to suit traffic load 4. Add more members to the VSLS cluster [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 21
  22. 22. Clustering ‒ VSLS [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 22
  23. 23. Use Case – Merger Allows gradual consolidation and reorganization Add more Virtual Systems as required [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 23
  24. 24. Virtual System Load Sharing  Distributes Virtual Systems between different gateways  Sync – VS in Backup is not synced – Sync only between Active & Standby (unicast sync)  VS distribution – Performed automatically or manually (vsx_util redistribute_vsls) – Depends on priorities and weights SYNC [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 24
  25. 25. VSLS  The performance throughput parameters are increased linearly with VSLS. Example: Single 12600 VSLS 12600*2 30Gbps 54.0Gbps IPS Throughput 5Gbps 9.8Gbps VPN Throughput 7Gbps 12.5Gbps Firewall Throughput  VSLS allows gradual growth – Deploy 2 members now and add more later  Support of up to 12 cluster members [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 25
  26. 26. Other Highlights  Monitor MIBs per Virtual System, using SNMPv3 – Allows querying information per VS including networking MIB – Two modes of SNMP monitoring • Default mode – monitors VS0 only • VS mode – supports SNMP monitoring per each VS  SmartView Monitor – Support per VS and system monitoring  Multi-Queue – Multi-queue lets you configure more than one traffic queue for each network interface. This means more than one CPU can be used for acceleration.  Hit-Count – Hit Count tracks the number of connections that each rule matches [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 26
  27. 27. Performance and Scalability [Protected] For public distribution
  28. 28. Major Performance Aspects Comparing to Comparing to R75.40VS VSX R67 in Physical mode (SG) Firewall Throughput Better Same IPS DFS throughput Better Same VPN throughput Same Same Real world traffic (IPS/AppControl/NAT/Logs) Better Same* Concurrent connections Better Same** Maximum number of Virtual Systems Lower N/A * Depends on the number of VS. ** Requires 2-4 VSs to reach the best number. Depends on the RAM size. [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 28
  29. 29. How to Calculate the SPU VS1 SPU VS0 SPU VS2 SPU  Aggregate all the SPUs of each Virtual System  Use the table of the number of Virtual Systems influence per appliance Required SPU without virtualization influence VS0 that is used for management only is 10 SPUs [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 29
  30. 30. Use Case – with VS – SPU VS-1  IPS, VPN  0.1 Gbps throughput Total SPUs VS0 10 = + VS1 68 + VS2 661 + VS3 185 = Required 924 = VS-2 VS-3 12600 (1861 SPUs) would be a good choice  IPS, AV, AB  0.5 Gbps throughput  IPS, APPI, URLF  0.2 Gbps throughput 4 Virtual Systems do not change this recommendation [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 30
  31. 31. Check Point Virtual Systems Based on industry proven VSX solution Allows Security Gateway Consolidation Allows Gradual Growth Provides Superior Performance and Stability Simplifies Security with Virtualization [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 31
  32. 32. Questions? [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 32
  33. 33. Thank You [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 33

×