NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FW: [FW1] Platform Question



Title: RE: FW: [FW1] Platform Question
It's a problem when you rely on a single point of failure.
It's a problem when you have a single firewall that you rely on heavily and you need to install a new rule base.
(notice what happens to all those established sessions?)
Lots of reasons to not rely on a SINGLE firewall solution.
 
A six pack is designed at solving problems of load balancing, availability/reliability, and management.
Usually you will have two routers for internet, two switches(foundry etc) behind them, two firewalls, and
then two more switches. You can put a bullet in whatever component you choose and your packets will
still reach their destination. This also means you can schedule maintenence tasks easier.
 
Ideally your core of your network is a fully redundant switch mesh and as a rule, nothing can connect to the
core without itself being redundant. I guess there are a million ways to get things done though, this method
keeps the diameter of the network from growing too quickly and I need my firewalls connected in like fashion.
----- Original Message -----
Sent: Thursday, January 04, 2001 1:28 PM
Subject: RE: FW: [FW1] Platform Question

Just curious -

  What do you mean by a "redunant six pack" setup?  Thanks!



-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Thursday, January 04, 2001 12:47 PM
To: [email protected]; [email protected];
[email protected]
Subject: Re: FW: [FW1] Platform Question



From what I have seen, the main FW-1 process is NOT multithreaded.
However, there are several processes seperate from the main FW-1 process and
having a 2nd processor will allow the ELA, http proxy, and other components to
take advantage of the second CPU.

Looking at perfmon graphs under heavy load I see one processor getting heavy
utilization and trending this against the FW-1 metrics for packets forwarded it is
easy to see a 1 to 1 relationship.

From what I remember in CCSE classes, this is the case for the Unix builds as well.

RAM is not nearly as much an issue as some people would have you think unless
you have a LOT of connections or VPN's.

If I had it to do all over again, I would get two 1U compaq servers and stick a
1GHz processor in each and two Intel i960 NICs (that provides 2 10/100 on
the systemboard and the 2 extra ISL capable ports)
Slap a foundry switch on either side and build a redundant six pack setup.
If I suddenly needed to run more security server processes, I can just pop in another
1Gig CPU and there you go...LOTS LOTS cheaper.

Perhaps the IPSO devices would be a good appliance style solution as well.
I have heard some rumors of Nokia distancing themselves from Checkpoint lately.


----- Original Message -----
From: <[email protected]>
To: <[email protected]>; <[email protected]>
Sent: Thursday, January 04, 2001 11:18 AM
Subject: RE: FW: [FW1] Platform Question


>
> Well the switch was to free up the Sun box for database operations PLUS our
> staff is much more NT literate than Unix. Our load is very LOW, T1x2 to
> internet and at MAX 20 simultaneous SecureRemote users.
>
> So, that being said... here are answers to your questions -- appreciate
> everyone's help, have gotten lot's of responses now :)
>
> It's FW-1 sp2 - still have not got a definitive answer as to whether this
> supports SMP or not.
> The 220R was a single 450Mhz
> The Intel NICs are set to AUTO, but both their diags and SNMP report they
> are running at Full Duplex
>
> Thanks again to everyone for trying to work through this with me!
>
> -----Original Message-----
> From: [email protected] [mailto:[email protected]]
> Sent: Thursday, January 04, 2001 10:19 AM
> To: [email protected]
> Subject: Re: FW: [FW1] Platform Question
>
> I'm not trying to be a smart a$$, but I wonder how many people would go
> FROM solaris TO windows.
>
> I don't know much about anything, but I have heard that Solaris machines
> work much better under HIGH load then windows machines.  Is your server
> under high load?
>
> I wouldn't be TOO suprised if your users are actually experiencing a
> performance hit.  My reasoning here is:
>
> -What version of FW-1? Is it a version that supports SMP?
> -was the 220R dual?  what CPUs did it have?  Two 450's perhaps?
> -does the Windows FW-1 version support SMP?  If it doesn't then you are
> comparing two boxes with very similar hardware(assuming worst case
> on the # of CPU's in the 220R)... but one with the overhead of an
> expensive qui.
> -even though your RAM has increased, if you weren't using all 128mb on the
> Solaris machine... then it wouldn't make any difference.
>
> (PS.  Have you checked your speed and duplex on the NICs on the NT
> machine?  Autonegociation is worse then useless.)
>
> On Thu, 4 Jan 2001 [email protected] wrote:
>
> >
> > It's funny, I didn't get one single reply on this... does that mean NO ONE
> > has ever run into this, or is it just something no one wants to talk
> about?
> >
> <SNIP>
>
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================
>



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.