Support Center > Search Results > SecureKnowledge Details
MultiCore Support for SSL in R77.20 and above
Solution

Table of Contents:

  • Introduction
  • Configuration
  • Limitations
  • Related Solutions

 

Introduction

Introduced in R77.20, SSL MultiCore feature improves SSL performance of Security Gateway / VSX Gateway.

SSL MultiCore feature is based on Check Point CoreXL technology, which enhances Security Gateway / VSX Gateway performance by enabling the CPU processing cores to concurrently perform multiple tasks.
Note: For more information about CoreXL, refer to:

Up to R77.20, termination of SSL tunnel in general, and SNX tunnels in particular, was limited to be handled by a single CPU core - by CoreXL Firewall Instance 0.
With SSL MultiCore feature, SSL traffic is distributed among all available CoreXL FW instances, hence, fully utilizing MultiCore capabilities allowing to significantly increase SSL throughput for Multi Portals, Mobile Access Portal, SNX tunnels, VPN Mobile, etc.

As reference, Mobile Access Portal throughput is increased with SSL MultiCore feature:

  • By a factor of 2.8 on a 4800 appliance (configured with 3 CoreXL FW instances)
  • By a factor of 8.8 on a 12600 appliance (configured with 10 CoreXL FW instances)

Important Note:

HTTPS Inspection, since it was introduced, utilizes CoreXL.
No performance change is expected in HTTPS Inspection when enabling SSL MultiCore feature.

 

Configuration

SSL MultiCore feature is controlled on Security Gateway / VSX Gateway by the kernel parameter enable_ssl_multi_core:

Version Value of kernel parameter Security Gateway behavior
R80.10 / R80.20 enable_ssl_multi_core=1 This is the default.
SSL MultiCore feature is enabled.
enable_ssl_multi_core=0 SSL MultiCore feature is disabled.
R77.20 / R77.30 enable_ssl_multi_core=0 This is the default.
SSL MultiCore feature is disabled.
enable_ssl_multi_core=1 SSL MultiCore feature is enabled.

 

Important Note:

  • SSL MultiCore feature requires that CoreXL license is installed on Security Gateway / VSX Gateway and CoreXL is enabled and configured.

 

Procedure for Security Gateway R80.10 / R80.20:

Note: In cluster environment, this procedure must be performed on all members of the cluster.

  • To check the current state of the SSL MultiCore feature:

    [Expert@HostName:0]# vpn multik ssl stat
  • To enable the SSL MultiCore feature:

    [Expert@HostName:0]# vpn multik ssl on

    Notes:

    • This command will add the following line to the $FWDIR/boot/modules/fwkern.conffwk file:
      enable_ssl_multi_core=1
    • Change will take place after rebooting the Security Gateway.
  • To disable the SSL MultiCore feature:

    [Expert@HostName:0]# vpn multik ssl off

    Notes:

    • This command will add the following line to the $FWDIR/boot/modules/fwkern.conf file:
      enable_ssl_multi_core=0
    • Change will take place after rebooting the Security Gateway.

Procedure for Security Gateway R77.20 / R77.30:

Note: In cluster environment, this procedure must be performed on all members of the cluster.

  • To check the current value of a kernel parameter:

    [Expert@HostName]# fw ctl get int enable_ssl_multi_core

  • To set the desired value for a kernel parameter on-the-fly:

    [Expert@HostName]# fw ctl set int enable_ssl_multi_core VALUE

  • To set the desired value for a kernel parameter permanently:

    Note: Follow sk26202 (Changing the kernel global parameters for Check Point Security Gateway).

    For Gaia / SecurePlatform OS:

    1. Create the $FWDIR/boot/modules/fwkern.conf file (if it does not already exit):

      [Expert@HostName]# touch $FWDIR/boot/modules/fwkern.conf

    2. Edit the $FWDIR/boot/modules/fwkern.conf file in Vi editor:

      [Expert@HostName]# vi $FWDIR/boot/modules/fwkern.conf

    3. Add the following line (spaces are not allowed):

      enable_ssl_multi_core=VALUE

    4. Save the changes and exit from Vi editor.

    5. Check the contents of the $FWDIR/boot/modules/fwkern.conf file:

      [Expert@HostName]# cat $FWDIR/boot/modules/fwkern.conf

    6. Reboot the Security Gateway / VSX Gateway.

 

Limitations

The following SSL MultiCore limitations exist in versions R77.20 and R77.30. These limitations are not relevant to versions R80.10 and above.

  1. SNX client to SNX client connectivity.

    SNX client to SNX client connectivity is not supported.

  2. VoIP Inspection

    If VoIP traffic is transferred over SNX tunnel, then VoIP inspection has to be disabled:

    1. Set the value of kernel parameter voip_multik_enable_forwarding to 0 (zero).
      Follow sk26202 (Changing the kernel global parameters for Check Point Security Gateway).

    2. In case specific VoIP ports have to be used, open these specific ports (create the relevant services and create the relevant security rules that allow such traffic).
      Otherwise, open all UDP high ports.
      Refer to sk95369 (ATRG: VoIP).


  3. SNX Roaming

    SNX Roaming allows users to change their IP addresses during an active session (e.g., when changing Wi-Fi network).

    • Old connections limitation
      After SNX roaming, new connections inside the SNX tunnel will work, while old connections will be inactive.

    • Back connections are not supported after roaming.

 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment