Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connect
Trang 1Performance Pack
Administration Guide Version NGX R65
March 2007 TM
Trang 3© 2003-2007 Check Point Software Technologies Ltd.
All rights reserved This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions This publication and features described herein are subject to change without notice
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19
TRADEMARKS:
©2003-2007 Check Point Software Technologies Ltd All rights reserved Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal,
SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-
1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd or its affiliates ZoneAlarm is a Check Point Software Technologies, Inc Company All other product names mentioned herein are trademarks or registered trademarks of their respective owners The products described in this document are protected by U.S Patent No 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S Patents, foreign patents, or pending applications
For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS
Trang 5Table of Contents 5
Contents
Preface Who Should Use This Guide 8
Summary of Contents 9
Related Documentation 10
More Information 13
Feedback 14
Chapter 1 Introduction to Performance Pack Overview 16
Release Notes 17
Chapter 2 Getting Started Performance Pack NGX System Requirements 20
Minimum System Requirements 20
Recommended System Options 21
Performance Pack Recommended Platform Configuration 22
Preparing the Performance Pack NGX Machine 23
BIOS Settings 23
Network Interface Cards location 23
Installation 23
Chapter 3 Command Line fwaccel 26
cpconfig 27
sim 28
proc entries 29
Appendix 4 Performance Tuning and Measurement Hints Performance Tuning 32
SYN Defender 32
Amount of Concurrent Connections and Hash Size 32
Implied Rules 33
HyperThreading 33
Connection Templates 34
Delayed Synchronization 35
Performance Measurement 37
TCP State and Benchmarking 37
Index 45
Trang 66
Trang 7Preface
In This Chapter
Trang 8Who Should Use This Guide
8
Who Should Use This Guide
This guide is intended for administrators responsible for maintaining network security within an enterprise, including policy management and user support This guide assumes a basic understanding of
• System administration.
• The underlying operating system.
• Internet protocols (IP, TCP, UDP etc.).
Trang 9Summary of Contents
Preface 9
Summary of Contents
This document describes how to install and configure Performance Pack
Additionally, it shows you how to get the best possible performance using
Chapter 2, “Getting Started” Describes system requirements, recommended
platforms and how to prepare for the NGX Machine.
Chapter 3, “Command Line” Contains explanations of the Performance Pack
Trang 10Related Documentation
10
Related Documentation
The NGX R65 release includes the following documentation
TABLE P-1 VPN-1 Power documentation suite documentation
Title Description
Internet Security Product
Suite Getting Started
Guide
Contains an overview of NGX R65 and step by step product installation and upgrade procedures This document also provides information about What’s New, Licenses, Minimum hardware and software requirements, etc.
Upgrade Guide Explains all available upgrade paths for Check Point
products from VPN-1/FireWall-1 NG forward This guide is specifically geared towards upgrading to NGX R65.
Virtual Private Networks
Administration Guide
This guide describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure.
Trang 11Provider-1/SiteManager-1
Administration Guide
Explains the Provider-1/SiteManager-1 security management solution This guide provides details about a three-tier, multi-policy management architecture and a host of Network Operating Center oriented features that automate time-consuming repetitive tasks common in Network Operating Center environments.
TABLE P-2 Integrity Server documentation
TABLE P-1 VPN-1 Power documentation suite documentation (continued)
Title Description
Trang 15Introduction to Performance Pack
In This Chapter
Trang 16Performance Pack uses Check Point’s SecureXL technology and other innovative network acceleration techniques, to deliver wire-speed performance for VPN-1 Power Moreover, it accelerates key security functions, thereby ensuring your organization the best security with the best performance available on an open platform
Supported security functions include:
Trang 18Release Notes
18
Trang 19Getting Started
In This Chapter
Performance Pack Recommended Platform Configuration page 22
Trang 20Performance Pack NGX System Requirements
20
Performance Pack NGX System
Requirements
Performance Pack accelerates the performance of VPN-1 Power on:
• Hardware supported by SecurePlatform
• Solaris 8, 9, or 10 for SPARC 64 Bit
Following are the minimum recommended requirements:
Minimum System Requirements
The following are the minimum system requirements:
Table 2-1 Minimum System Requirements
Operating
Systems
SecurePlatform NGX R65 Solaris 8, 9, and 10
CPU • See: Hardware Compatibility List for SecurePlatform NGX
Network Interfaces supported by VPN-1 Power on Solaris:
• GEM Ethernet NIC
• 10/100 QuadEthernet NIC
• GigaSwift NIC
• Sun HME 10/100 Ethernet NIC
• BGE
Trang 21Recommended System Options
Chapter 2 Getting Started 21
Recommended System Options
The following system options are recommended for optimal performance:
Table 2-2 Recommended system options
Operating
Systems
SecurePlatform NGX R65 Solaris 8, 9, and 10
CPU Dual Intel Xeon or Dual SPARC 64 bit
Trang 22Performance Pack Recommended Platform Configuration
Examples of platforms with such configurations are:
• IBM System 3650
• HP Proliant DL-380 G5
• Dell PowerEdge 1950 or PowerEdge 2950
Please refer to the latest Performance Pack release notes for additional information
on hardware support, limitations and recommendations.
Trang 23Preparing the Performance Pack NGX Machine
Chapter 2 Getting Started 23
Preparing the Performance Pack NGX
HyperThreading may improve performance for some scenarios.
Network Interface Cards location
• If you are using a motherboard with multiple PCI or PCI-X buses, make sure
that each Network Interface Card is installed in a slot connected to a different
Trang 2424
Trang 26off Stop acceleration
stat Display the acceleration device status and the status
of the Connection Templates on the local VPN-1 Power module.
stats Displays acceleration statistics
stats -s Displays more summarized statistics information.
conns Displays all connections.
conns -s Displays the number of connections currently defined
in the accelerator.
conns -m <max_entries> Limits the number of connections displayed by the
conns command to the number entered in the variable max_entries
templates Display all connection templates.
templates -m max_entries Limits the number of templates displayed by the
templates command to the number entered in the variable max_entries
templates -s Displays the number of templates currently defined
in the accelerator.
Trang 27cpconfig to enable or disable Performance Pack Once you have selected an acceleration setting, the setting remains configured, until you choose to change it
on another occasion In other words, the settings that you define will remain even after the machine is rebooted For an alternative method to enable or disable acceleration, see “fwaccel” on page 26
Trang 28performance is obtained when each NIC is individually bound to a single processor
To achieve the above, the sim utility includes an Affinity feature, which has the following operation modes:
Table 3-2 sim Affinity operation modes
Option Explanation
-a Automatic Mode — the Affinity is determined automatically, by
analyzing the load on each NIC If the NICs are not loaded, the Affinity will not be set This is the default Affinity operation mode, in which the Affinity is re-tuned every 60 seconds.
-s Manual Mode — allows you to manually specify the Affinity settings
For each interface, you will be asked to enter one of the following:
• A space-separated list of the processor numbers that are to
handle this interface, or
• The word all , to allow all processors to handle this interface When setting the Affinity manually, the periodic automatic check will
be disabled After booting, it will remain disabled and the Affinity settings entered manually will be applied.
-l View a list of the current Affinity settings.
Trang 29conf Displays the Performance Pack Configuration.
ifs Lists the interfaces to which Performance Pack is
attached.
statistics Displays general Performance Pack statistics.
Trang 30proc entries
30
Trang 32Performance Tuning
32
Performance Tuning
SYN Defender
To obtain optimal TCP connection setup rate performance, verify that the SYN
Defender method specified in the SmartDefense is set to None (default).
Amount of Concurrent Connections and Hash Size
Setting the Maximal Concurrent Connections
To set the desired number of maximal concurrent connections, open
SmartDashboard’s Gateway Object Properties window and proceed as follows:
1 Open the Capacity Optimization tab Make sure that Calculate connections hash
table size and memory pool is set to Automatically.
2 Set the desired amount of concurrent connections in the Maximum Concurrent
Connections field.
Increasing the Number of Concurrent Connections
You can increase the actual number of concurrent connections by reducing the timeout of TCP and UDP sessions:
• TCP end timeout determines the amount of time a TCP connection will stay in the FireWall connection table after a TCP session has ended.
• UDP virtual session timeout determines the amount of time a UDP connection will stay in the FireWall connection table after the last UDP packet was seen by the gateway.
By reducing the above values, the capacity of actual TCP and UDP connections is increased
Trang 33Implied Rules
Chapter 4 Performance Tuning and Measurement Hints 33
Implied Rules
In order to set the optimal connection/sec rate, proceed as follows:
1 Select Global Properties from the Policy menu.
2 Select FireWall-1 in the Global Properties tree.
3 Uncheck the following options:
• Accept RIP
• Accept Domain Name over UDP (Queries)
• Accept Domain Name over TCP (Zone Transfer)
• Accept ICMP requests
HyperThreading
HyperThreading applies only to SecurePlatform.
HyperThreading is a feature of some Intel processors that enables emulation of two virtual processors by a single physical processor This feature increases the performance under certain conditions.
Machines with Xeon processors have a BIOS option that may allow enabling or disabling HyperThreading, under the following circumstances:
• If the number of network interfaces is less than the actual physical number of processors (i.e two network interfaces and three processors), it is
recommended to enable HyperThreading.
• If the number of network interfaces is equal to or greater than the actual physical number of processors (i.e two network interfaces and two processors),
it is recommended to disable HyperThreading.
• If cryptography is used extensively, HyperThreading should be enabled.
Trang 34• A connection from 10.0.0.1/2000 to 11.0.0.1/80 — established through Firewall and then accelerated.
• A connection from 10.0.0.1/2001 to 11.0.0.1/80 — fully accelerated
(including connection establishment).
• A connection from 10.0.0.1/8000 to 11.0.0.1/80 — fully accelerated
(including connection establishment).
HTTP GET requests to specific server will be accelerated since the connection has the same source IP address.
Restrictions
In general, Connections Templates will be created only for plain UDP or TCP connections The following restrictions apply for Connection Template generation: Global restrictions:
• SYN Defender — Connection Templates for TCP connections will not be created.
Trang 35Delayed Synchronization
Chapter 4 Performance Tuning and Measurement Hints 35
• Security Server connections.
• Services with source port range.
• Time objects in the rules.
• Dynamic Objects and/or Domain Objects.
• Services of type “other” with a match expression.
• User/Client/Session Authentication actions.
• Services of type RPC/DCERPC/DCOM.
When installing a policy containing restricted rules, you will receive console messages indicating that Connection Templates will not be created due to the rules that have been defined The warnings should be used as a recommendation that will assist you to fine-tune your policy in order to optimize performance
Testing
To verify that connection templates are enabled, use the fwaccel stat command
To verify that connection templates are generated, use fwaccel templates This should be done while traffic is running, in order to obtain a list of currently defined templates
Delayed Synchronization
The synchronization mechanism guarantees High Availability In a cluster
configuration, if one cluster member fails, the other recognizes the connection failure and takes over, so the user does not experience any connectivity issue However, there is an overhead per synchronized operation, which can occasionally cause a system slow-down when there are short sessions.
Delayed synchronization is a mechanism based upon the duration of the
connection, with the duration itself used to determine whether or not to perform synchronization A time range can be defined per service The time range indicates that connections terminated before a specified expiration time will not be
synchronized As a result, synchronized traffic is reduced and overall performance increases Delayed Synchronization is performed only for connections matching a connection template
Note - Delayed synchronization is disabled if the log or account are enabled.