The document discusses Check Point Virtual Systems which provide consolidation, virtualization, and security capabilities. It highlights that Virtual Systems allow all software blades to run on every virtual system to simplify management. Performance is boosted through features like CoreXL, which leverages multiple CPU cores, and Virtual System Load Sharing which can distribute virtual systems across up to 12 cluster members for linear scalability. Memory and CPU resources can be monitored on a per virtual system basis and optimized through affinity settings.

1. Check Point Virtual
Systems: Consolidation,
Virtualization, Security
Ayelet Shenderov
Cfear Kimhi
CPX 2013
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.

2. Agenda
1
Overview
2
Dive into Memory, CPU and Clustering
3
Performance and Scalability
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
2

3. Overview
[Protected] For public distribution

4. What’s New in Virtual Systems
Next Generation Virtual System:
Software Blades security now available with
Virtual Systems on Check Point Appliance
All Software Blades on
Every Virtual System
Simplify and
Consolidate
Boosting
Performance
VSLS
Check Point
Leveraging existing management solutions
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
4

5. Software Blades for Virtual Systems
Firewall
IPS
Identity
Application
Awareness
Control
URL
Filtering
Antivirus
Anti-Bot
Mobile
Access*
Software Blades on Virtual Systems
… and Open Servers
Virtual System on Any Platform
Software Blade Security on Every Virtual System
* SSL VPN available in later release
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
5

6. Performance Boost and Scalability
Check Point
High
Connection
Capacity
 8X concurrent connections with 64-bit
GAiA OS
 Advanced routing options with multiple
routing and multicasting protocols
 Check Point CoreXL technology
Multi-Core
 Enhanced deep packet inspection
Performance
throughput with security acceleration
Linear
Scalability
 Patented VSLS technology
 Scale up to 12 cluster members
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
6

7. 61000 Virtual Systems Support
FW
IA
VPN
ADNC
MOB
IPS
APCL
URLF
AV
AB
Consolidate Gateways with Virtual Systems
Customized per-VS Software Blade Security
IPS
IPS
*DLP is not supported in VS mode
(only available in physical security GW mode)
VPN
AV
Anti-Bot
IA
APCL
URLF
[Protected] For public distribution
AV
©2013 Check Point Software Technologies Ltd.
7

8. New R76 Release
Unlimited number of IP addresses
(billion billion billion times more addresses)
Unique device
identity
Zero cost
addresses
Support billions
of new devices!
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
8

9. Memory
Consumption and Monitoring
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
9

10. Use Case – Before
IP 530 cluster
 0.2 Gbps throughput
 5K concurrent connections
IP 650 cluster
IP 380 cluster
 0.3 Gbps throughput
 10K concurrent connections
[Protected] For public distribution
 0.2 Gbps throughput
 5K concurrent connections
©2013 Check Point Software Technologies Ltd.
10

11. Use Case – With Virtual Systems
VS-1
 0.1 Gbps throughput
 5K concurrent connections
 IPS and VPN
VS-2
VS-3
 0.5 Gbps throughput
 10K concurrent connections
 IPS, Anti-Virus and Anti-Bot
 0.5 Gbps throughput
 5K concurrent connections
 IPS, AppControl and URLF
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
11

12. Use Case – with VS – Memory
VS-1
 IPS + VPN = 77MB
 5K Connection = 11MB
System
Memory
VSO
500
=
+
VS1
77+11
+
VS2
115+105
+
VS3
90+53
=
951MB
=
VS-2
VS-3
 IPS + AV + AB = 115MB
 10K connection = 105MB
[Protected] For public distribution
 IPS + APPI+URLF = 90MB
 5K Connection = 53MB
©2013 Check Point Software Technologies Ltd.
12

13. Monitoring Memory Resources
 “fw vsx mstat” command shows an overview of the memory that the system
and each Virtual System is using.
 Global memory resources shown:
– Memory Total – Total physical memory on the Gateway
– Memory Free – Available physical memory
– Swap Total – Total of swap memory
– Swap Free – Available swap memory
– Swap-in Rate – Total memory swaps per second
[Expert@gizamem1:0]# fw vsx mstat
Things to notice:
 Memory free is not enough for
the needed growth
 Swap-in rate higher than 0
over time
VSX Memory Status
=================
Memory Total: 1007.72 MB
Memory Free: 539.29 MB
Swap Total: 2047.34 MB
Swap Free: 2047.34 MB
Swap-in rate: 0.00 MB
VSID | Memory Consumption
======+====================
0 |
186.63 MB
1 |
31.48 MB
2 |
81.66 MB
3 |
48.40 MB
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
13

14. Memory Monitoring Demo
[Expert@gizamem1:0]# fw vsx
mstat
[Expert@gizamem1:0]# fw vsx
mstat
VSX Memory Status
=================
Memory Total: 2022.96 MB
Memory Free: 1527.84 MB
Swap Total: 2047.34 MB
Swap Free: 2047.34 MB
Swap-in rate: 0.00 MB
VSX Memory Status
=================
Memory Total: 2022.96 MB
Memory Free: 1496.03 MB
Swap Total: 2047.34 MB
Swap Free: 2047.34 MB
Swap-in rate: 0.00 MB
VSID | Memory Consumption
======+====================
0 |
213.73 MB
1 |
30.79 MB
2 |
60.69 MB
3 |
62.22 MB
VSID | Memory Consumption
======+====================
0 |
215.33 MB
1 |
30.79 MB
2 |
87.47 MB
3 |
62.65 MB
[Expert@gizamem1:0]#
[Expert@gizamem1:0]#
2 Virtual Systems – Firewall only
[Protected] For public distribution
2 Virtual Systems – 1 Firewall only
1 IPS recommended,
Application Control, URL Filtering
©2013 Check Point Software Technologies Ltd.
14

15. CPU
CoreXL, Affinity and Monitoring
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
15

16. CoreXL per VS
 CoreXL increases the performance
of the physical appliance with the ability to utilize multiple
cores. It creates multiple firewall instances and allows to
increase medium and slow path throughput.
 CoreXL configuration is set per VS
– If possible,
allocate separate
cores for the
SNDs and FWK
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
16

17. CPU Resources
 Monitoring
– Provides real-time information on the present and average
CPU consumption by the Virtual Systems using SNMP and cli
– The calculations were adapted to support multiple Virtual
Systems running on multiple cores
 Allocation
– New option in „fw ctl affinity‟ to support Virtual Systems
and/or single VS instances
– Have maximum flexibility with core allocation per
Virtual System or per specific process or thread
Note: CPU Resource Control enforcement is not supported yet
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
17

18. Demo of CoreXL and affinity
VS3 has 1 CoreXL instance and is configured with an out of box affinity
Fwk can run on either one of cores 1-3
[Expert@gizamem1:0]# fw ctl affinity -l -x -vsid 3 -flags tne
--------------------------------------------------------------------|PID
|VSID |
CPU
|SRC|V|KT |EXC|
--------------------------------------------------------------------|
5394 |
3 |
all |
| |
|
|
|
5397 |
3 |
all |
| |
|
|
|
5612 |
3 |
all |
| |
|
|
|
5630 |
3 |
all |
| |
|
|
|
5631 |
3 |
all |
| |
|
|
|
5399 |
3 |
all |
| |
|
|
|
5608 |
3 |
all |
| |
|
|
|
5609 |
3 |
all |
| |
|
|
|
5610 |
3 |
all |
| |
|
|
|
5611 |
3 |
all |
| |
|
|
|
5788 |
3 |
all |
| |
|
|
|
5406 |
3 |
1 2 3 | P | |
|
|
|
5437 |
3 |
1 2 3 | P | |
|
|
|
5438 |
3 |
1 2 3 | P | |
|
|
|
5431 |
3 |
all |
| |
|
|
|
6003 |
3 |
all |
| |
|
|
|
6012 |
3 |
all |
| |
|
|
|
6337 |
3 |
all |
| |
|
|
---------------------------------------------------------------------
[Protected] For public distribution
NAME
fwk_wd
cpd
|---cpd
|---cpd
|---cpd
fw
|---fw
|---fw
|---fw
|---fw
|---fw
fwk3_dev
|---fwk3_0
|---fwk3_hp
mpdaemon
cphamcset
|---cphamcset
routed
©2013 Check Point Software Technologies Ltd.
18

19. Demo of CoreXL and affinity
VS3 has 3 CoreXL instance and is configured with an out of box affinity
Fwk can run on either one of cores 1-3
[Expert@gizamem1:0]#
[Expert@gizamem1:0]# fw ctl affinity -l -x -vsid 3 -flags tne
--------------------------------------------------------------------|PID
|VSID |
CPU
|SRC|V|KT |EXC|
--------------------------------------------------------------------|
5127 |
3 |
all |
| |
|
|
|
5140 |
3 |
all |
| |
|
|
|
5263 |
3 |
1 2 3 | P | |
|
|
|
5269 |
3 |
1 2 3 | P | |
|
|
|
5270 |
3 |
1 2 3 | P | |
|
|
|
5271 |
3 |
1 2 3 | P | |
|
|
|
5272 |
3 |
1 2 3 | P | |
|
|
|
5363 |
3 |
all |
| |
|
|
|
5396 |
3 |
all |
| |
|
|
|
5399 |
3 |
all |
| |
|
|
|
5400 |
3 |
all |
| |
|
|
|
5386 |
3 |
all |
| |
|
|
|
5443 |
3 |
all |
| |
|
|
|
5444 |
3 |
all |
| |
|
|
|
5445 |
3 |
all |
| |
|
|
|
5448 |
3 |
all |
| |
|
|
|
6109 |
3 |
all |
| |
|
|
|
5549 |
3 |
all |
| |
|
|
|
5578 |
3 |
all |
| |
|
|
|
6337 |
3 |
all |
| |
|
|
---------------------------------------------------------------------
[Protected] For public distribution
NAME
fwk_wd
mpdaemon
fwk3_dev
|---fwk3_0
|---fwk3_1
|---fwk3_2
|---fwk3_hp
cpd
|---cpd
|---cpd
|---cpd
fw
|---fw
|---fw
|---fw
|---fw
|---fw
cphamcset
|---cphamcset
routed
©2013 Check Point Software Technologies Ltd.
19

20. Demo of CoreXL and affinity
VS3 has 3 CoreXL instance and is configured with static affinity set by
1. vsenv 3
2. fw ctl affinity -s -d -inst 1 -cpu 2
Fwk3 instance 1 can run on cpu 2 only
[Expert@gizamem1:3]# fw ctl affinity -l -x -vsid 3 -flags tne
--------------------------------------------------------------------|PID
|VSID |
CPU
|SRC|V|KT |EXC|
--------------------------------------------------------------------|
5127 |
3 |
all |
| |
|
|
|
5140 |
3 |
all |
| |
|
|
|
5263 |
3 |
1 2 3 | P | |
|
|
|
5269 |
3 |
1 2 3 | P | |
|
|
|
5270 |
3 |
2 | I | |
|
|
|
5271 |
3 |
1 2 3 | P | |
|
|
|
5272 |
3 |
1 2 3 | P | |
|
|
|
5363 |
3 |
all |
| |
|
|
|
5396 |
3 |
all |
| |
|
|
|
5399 |
3 |
all |
| |
|
|
|
5400 |
3 |
all |
| |
|
|
|
5386 |
3 |
all |
| |
|
|
|
5443 |
3 |
all |
| |
|
|
|
5444 |
3 |
all |
| |
|
|
|
5445 |
3 |
all |
| |
|
|
|
5448 |
3 |
all |
| |
|
|
|
6109 |
3 |
all |
| |
|
|
|
5549 |
3 |
all |
| |
|
|
|
5578 |
3 |
all |
| |
|
|
|
6337 |
3 |
all |
| |
|
|
|
8307 |
3 |
all |
| |
|
|
--------------------------------------------------------------------[Protected] For public distribution
NAME
fwk_wd
mpdaemon
fwk3_dev
|---fwk3_0
|---fwk3_1
|---fwk3_2
|---fwk3_hp
cpd
|---cpd
|---cpd
|---cpd
fw
|---fw
|---fw
|---fw
|---fw
|---fw
cphamcset
|---cphamcset
routed
fw
©2013 Check Point Software Technologies Ltd.
20

21. How to Optimize Your CPU Utilization
In addition to the usual optimizations there are several VS
specific optimizations:
1. If there is a lot of traffic going through the medium and the
slow path – consider adding more CoreXL instances
where required
2. Assign dedicated cores to this VS using „fw ctl affinity‟
3. Use VSLS and distribute the VSs better to suit traffic load
4. Add more members to the VSLS cluster
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
21

22. Clustering ‒ VSLS
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
22

23. Use Case – Merger
Allows gradual
consolidation and
reorganization
Add more
Virtual Systems
as required
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
23

24. Virtual System Load Sharing
 Distributes Virtual Systems
between different gateways
 Sync
– VS in Backup is not synced
– Sync only between Active &
Standby (unicast sync)
 VS distribution
– Performed automatically or
manually (vsx_util
redistribute_vsls)
– Depends on priorities and
weights
SYNC
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
24

25. VSLS
 The performance throughput parameters are increased
linearly with VSLS. Example:
Single 12600
VSLS 12600*2
30Gbps
54.0Gbps
IPS Throughput
5Gbps
9.8Gbps
VPN Throughput
7Gbps
12.5Gbps
Firewall
Throughput
 VSLS allows gradual growth
– Deploy 2 members now and add more later
 Support of up to 12 cluster members
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
25

26. Other Highlights
 Monitor MIBs per Virtual System, using SNMPv3
– Allows querying information per VS including networking MIB
– Two modes of SNMP monitoring
• Default mode – monitors VS0 only
• VS mode – supports SNMP monitoring per each VS
 SmartView Monitor
– Support per VS and system monitoring
 Multi-Queue
– Multi-queue lets you configure more than one traffic queue
for each network interface. This means more than one CPU
can be used for acceleration.
 Hit-Count
– Hit Count tracks the number of connections that each
rule matches
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
26

27. Performance and
Scalability
[Protected] For public distribution

28. Major Performance Aspects
Comparing to Comparing to R75.40VS
VSX R67
in Physical mode (SG)
Firewall Throughput
Better
Same
IPS DFS throughput
Better
Same
VPN throughput
Same
Same
Real world traffic
(IPS/AppControl/NAT/Logs)
Better
Same*
Concurrent connections
Better
Same**
Maximum number of
Virtual Systems
Lower
N/A
* Depends on the number of VS.
** Requires 2-4 VSs to reach the best number. Depends on the RAM size.
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
28

29. How to Calculate the SPU
VS1
SPU
VS0
SPU
VS2
SPU
 Aggregate all the SPUs
of each Virtual System
 Use the table of the
number of Virtual
Systems influence per
appliance
Required SPU without
virtualization influence
VS0 that is used for management only is 10 SPUs
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
29

30. Use Case – with VS – SPU
VS-1
 IPS, VPN
 0.1 Gbps throughput
Total
SPUs
VS0
10
=
+
VS1
68
+
VS2
661
+
VS3
185
=
Required
924
=
VS-2
VS-3
12600 (1861 SPUs) would be a good choice
 IPS, AV, AB
 0.5 Gbps throughput
 IPS, APPI, URLF
 0.2 Gbps throughput
4 Virtual Systems do not change this recommendation
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
30

31. Check Point Virtual Systems
Based on industry proven VSX solution
Allows Security Gateway Consolidation
Allows Gradual Growth
Provides Superior Performance and Stability
Simplifies Security with Virtualization
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
31

32. Questions?
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
32

33. Thank You
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
33