Check Point Falcon Acceleration Cards - we accelerate the processing of traffic

Relatively recently, we published an article about Check Point Maestro , a new scalable platform that allows for a virtually linear increase in the “power” of Check Point gateways. However, this is not the only technology to increase productivity. Back in 2018, new traffic acceleration cards with a dedicated network processor, the Falcon Acceleration Cards , were announced. The meaning of these devices is simple - to take on part of the traffic processing load. In this article we will look at:

• Variants of available maps;
• In which gateway models they can be installed;
• Appearance and installation;
• What load can take on;
• How much they “speed up” the SSL inspection.

If you are interested in this topic - welcome under cat.
')
As already mentioned, the cards themselves were announced back in 2018. However, they are on sale recently. This is primarily due to the fact that they can work only on gateways running the OS starting with version Gaia R80.20 (R80.30 is now available). Let's look at the available models.

Variants of available maps

At the moment there are not so many options. There are two positions:

1. Falcon 10G Acceleration Card (Part Number - CPAC-FALCON-10G-B). Card with 4 optical ports of 10 GbE. Supported transceivers: CPAC-TR-10SR-B (also supports 1 GbE), CPAC-TR-10LR-B (also supports 1 GbE), CPAC-TR-1T-B.
2. Falcon 40G Acceleration Card (Part Number - CPAC-FALCON-40G-B). Card with 2 optical ports of 40 GbE. Supported transceivers: CPAC-TR-40SR-QSFP-300m (supports the breakout mode), CPAC-TR-40LR-QSFP-10K, CPAC-TR-40SR-QSFP-BiDi.

Supported Gateway Models

Unfortunately, you can not insert cards into all devices. Check Point Gateway models supported:

• 5900 (up to 2 cards)
• 6800 (up to 2 cards)
• 15400 (up to 3 cards)
• 15600 (up to 3 cards)
• 23500 (up to 5 cards)
• 23800 (up to 5 cards)

Initially, when information appeared about these cards, there was a rumor that they could be inserted into models starting at 5600. However, existing cards are not yet supported. Perhaps in the future will add other models that will be supported by the gateways of the younger family.

Appearance and installation

This is what the Falcon 10G Acceleration Card looks like:



Falcon 40G Acceleration Card :



The cards themselves are inserted into the gateways in special slots. Actually, the number of free slots is limited by the number of supported acceleration cards. Example for gateway 23500:

What load can acceleration cards take on themselves?

Both acceleration cards can be used for the following tasks:

1. For HTTPS inspection. In this case, the throughput of the gateway is significantly increased;
2. In Threat Prevention. Deep Inspection, SandBlast, NGFW, all this load can be shifted from the gateway to the map;
3. For firewall. Normal traffic handling. Increases bandwidth, reduces response time, increases the number of supported sessions.
4. For VSX or QoS.

In my opinion, first of all, the point about HTTPS inspection and the possibility of transferring the load for “deep” file inspection are interesting.

How much data cards “speed up” SSL inspection?

Below is a table of tests for different models with different number of acceleration cards. The percentages in this case reflect how much the device bandwidth increases when SSL inspection is enabled:



You can rely on these figures when sizing the model that suits you.

Conclusion

According to our information, unfortunately, while these cards cannot be imported into Russia. There is a process of registration of the notification. However, we can already say that this is a good addition to the portfolio of “iron” devices. More technical information can be found here , or contact us directly. Read more about Check Point in our blog .