|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] FireWall-1 and Dual CPU machine
THis is precisely what the Nokia folks realized in their devices. A celeron with 64MB is going to do just as well when pusing policy as a Sun Ultra60 (can you believe these are being used as firewalls? Nice graphics on your "headless" firewall). PCI is PCI is PCI - for the most part at least. Some implementations leave much to be desired (thanks 810). However, the SunQFE can ride the 66MHz 64-bit PCI bus if configured properly. That'll provide some improvement over the 33MHz jalopy riding the Nokia Intel MB. I believe the Micron folks implemented a Samauri chipset (a pre-AGP concoction) which accomplished the same thing. On the downside, the extremely high markup of the four Intel speedo's with a Sun emblem on the Sun QFE is ludicrous. Looks like they fostered the Nokia markup as well. I've had a relatively high failure rate on the Luna PCI adapter (see previous threads of failing Luna PCI's with an "E.T." syndrome). The point of the post was that the UltraSPARC can be much faster than the Intel SA-110 on the LUNA PCI adapter. I'm not sure how the "Soft" LUNA is licensed. This only benefits VPN users who were conned into buying SMP powerhouses for their firewall device, though. -pl On Tue, 6 Feb 2001, Craig Skelton wrote: > Memory, bus speed, adapter speed, and base processor speed are the biggest > factors in FW1 performance. > > The Luna VPN card will increase preformance only if you are implemeting a > VPN. If you don't plan on using an IKE or IPSEC VPN then it won't do > anything for you. (Although they are cool if you do.) > > One thing people missed is the bus speed of your machine. This is a big > deal. You should examine the bus speed of the machine, and the ability of > the ethernet adapters to utilize that top speed. Some docs suggest that > gigabit cards will support slightly higher speeds even when run at Fast > Ethernet speeds. Stands to reason that the higher the performace capability, > the better the performance at nominal speeds. Obviously, if you already own > the machine, then you might not get to choose, but a slow bus speed might > mean that you are better off upgrading now (or that the second proc won't > matter). > > For dual cpu info, you should check the doc at: > http://www.checkpoint.com/techsupport/documentation/FW-1_VPN-1_performance.h > tml > "SMP (2-4 CPUs) has the most effect on Resource and VPN policies performance > (up to 35-54% performance improvement). Make sure to run multiple instances > of security servers (see the VPN-1 Tuning chapter). " > > If you run lots of security servers, or have many people viewing logfiles > (nt clients being worse than command line warriors) then the dual cpu will > really help. Especially if they are not too good at refining their > selections. Obviously, the kernel modules are monolithic (most likely due to > severe security issues in multi-threaded kernel mods). The security servers > and other portions of vpn1/fw1 are not. (pbind etc. to take advantage.) You > should run multiple instances to increase preformance. Multiple instances > will ensure that the second cpu is truely utilized (at least on solaris.). I > doubt there is much need for more than a dual box. > > As far as I am aware, there are no specific dual processor tuning points for > fw-1 on solaris (if you hear of any, let me know.) You might want to take a > look at sunsolve.sun.com for the doc id 1442 (white papers/ tech bulletins). > > Cheers, > Craig > > ----- Original Message ----- > From: "Peter Lukas" <[email protected]> > To: "William Pope" <[email protected]> > Cc: <[email protected]> > Sent: Monday, February 05, 2001 6:42 PM > Subject: RE: [FW1] FireWall-1 and Dual CPU machine > > > > > > I did notice a version of the Luna VPN driver optimized for the dormant > > CPU. Seeing as how a relatively fast UltraSPARC can effectively dust the > > StrongARM on the Chrysalis-ITS, it may be worth a looksee for people who > > ended up purchasing a multi-CPU system for their firewall... > > > > -peter > > > > On Mon, 5 Feb 2001, William Pope wrote: > > > > > > > > I do not think that Checkpoint has released a multithreaded version of > > > Firewall-1 yet. I have had some luck using pbind & renice to force the > > > Checkpoint services to the second processor leaving the first for the > O/S. > > > > > > -----Original Message----- > > > From: [email protected] > > > [mailto:[email protected]]On Behalf Of > Vincent, > > > Mike > > > Sent: Monday, February 05, 2001 10:59 AM > > > To: 'Damon Starkey '; ''Arie Gilboa' '; ''fw-1 Mailinglis' ' > > > Subject: RE: [FW1] FireWall-1 and Dual CPU machine > > > > > > > > > > > > Checkpoint did release a multi-threaded device driver to accelerate > > > encryption and decryption on SMP SPARC/Solaris and Windows NT systems. > > > > > > -----Original Message----- > > > From: Damon Starkey > > > To: 'Arie Gilboa'; 'fw-1 Mailinglis' > > > Sent: 2/5/01 10:15 AM > > > Subject: RE: [FW1] FireWall-1 and Dual CPU machine > > > > > > I was told no when I went through the Checkpoint Certification. It > > > benefits from a good amount of memory. > > > > > > Damon Starkey > > > Network Administrator > > > Digital Access Corporation > > > > > > -----Original Message----- > > > From: Arie Gilboa [mailto:[email protected]] > > > Sent: Monday, February 05, 2001 9:44 AM > > > To: 'fw-1 Mailinglis' > > > Subject: [FW1] FireWall-1 and Dual CPU machine > > > > > > Hello!, > > > I would like to instal CP-2000 on Dual CPU Solaris machine. > > > Does CP-2000 software know to use more than one CPU ?. Is there any > > > special configuration which should be done ?. > > > > > > Thanks, > > > Arie Gilboa > > > > > > > > > > ============================================================================ > > > ==== > > > To unsubscribe from this mailing list, please see the instructions > at > > > http://www.checkpoint.com/services/mailing.html > > > > ============================================================================ > > > ==== > > > > > > > > > > > > > ============================================================================ > ==== > > > To unsubscribe from this mailing list, please see the instructions > at > > > http://www.checkpoint.com/services/mailing.html > > > > ============================================================================ > ==== > > > > > > > > > > > > ============================================================================ > ==== > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > > ============================================================================ > ==== > > > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
