|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] FireWall-1 and Dual CPU machine
PCI is not PCI anymore. I have 66mhz 64bit Gigabit fiber NICs installed now that connect to Cisco6509's. Very fast. (but not OC192 fast...hehe) ----- Original Message ----- From: "Peter Lukas" <[email protected]> To: "Craig Skelton" <[email protected]> Cc: "William Pope" <[email protected]>; <[email protected]>; <[email protected]> Sent: Tuesday, February 06, 2001 9:43 AM Subject: Re: [FW1] FireWall-1 and Dual CPU machine > > THis is precisely what the Nokia folks realized in their devices. A > celeron with 64MB is going to do just as well when pusing policy as a Sun > Ultra60 (can you believe these are being used as firewalls? Nice graphics > on your "headless" firewall). > > PCI is PCI is PCI - for the most part at least. Some implementations > leave much to be desired (thanks 810). > > However, the SunQFE can ride the 66MHz 64-bit PCI bus if configured > properly. That'll provide some improvement over the 33MHz jalopy riding > the Nokia Intel MB. I believe the Micron folks implemented a Samauri > chipset (a pre-AGP concoction) which accomplished the same thing. On the > downside, the extremely high markup of the four Intel speedo's with a Sun > emblem on the Sun QFE is ludicrous. Looks like they fostered the Nokia > markup as well. > > I've had a relatively high failure rate on the Luna PCI adapter (see > previous threads of failing Luna PCI's with an "E.T." syndrome). The > point of the post was that the UltraSPARC can be much faster than the > Intel SA-110 on the LUNA PCI adapter. I'm not sure how the "Soft" LUNA is > licensed. This only benefits VPN users who were conned into buying SMP > powerhouses for their firewall device, though. > > -pl > > On Tue, 6 Feb 2001, Craig Skelton wrote: > > > Memory, bus speed, adapter speed, and base processor speed are the biggest > > factors in FW1 performance. > > > > The Luna VPN card will increase preformance only if you are implemeting a > > VPN. If you don't plan on using an IKE or IPSEC VPN then it won't do > > anything for you. (Although they are cool if you do.) > > > > One thing people missed is the bus speed of your machine. This is a big > > deal. You should examine the bus speed of the machine, and the ability of > > the ethernet adapters to utilize that top speed. Some docs suggest that > > gigabit cards will support slightly higher speeds even when run at Fast > > Ethernet speeds. Stands to reason that the higher the performace capability, > > the better the performance at nominal speeds. Obviously, if you already own > > the machine, then you might not get to choose, but a slow bus speed might > > mean that you are better off upgrading now (or that the second proc won't > > matter). > > > > For dual cpu info, you should check the doc at: > > http://www.checkpoint.com/techsupport/documentation/FW-1_VPN-1_performance.h > > tml > > "SMP (2-4 CPUs) has the most effect on Resource and VPN policies performance > > (up to 35-54% performance improvement). Make sure to run multiple instances > > of security servers (see the VPN-1 Tuning chapter). " > > > > If you run lots of security servers, or have many people viewing logfiles > > (nt clients being worse than command line warriors) then the dual cpu will > > really help. Especially if they are not too good at refining their > > selections. Obviously, the kernel modules are monolithic (most likely due to > > severe security issues in multi-threaded kernel mods). The security servers > > and other portions of vpn1/fw1 are not. (pbind etc. to take advantage.) You > > should run multiple instances to increase preformance. Multiple instances > > will ensure that the second cpu is truely utilized (at least on solaris.). I > > doubt there is much need for more than a dual box. > > > > As far as I am aware, there are no specific dual processor tuning points for > > fw-1 on solaris (if you hear of any, let me know.) You might want to take a > > look at sunsolve.sun.com for the doc id 1442 (white papers/ tech bulletins). > > > > Cheers, > > Craig > > > > ----- Original Message ----- > > From: "Peter Lukas" <[email protected]> > > To: "William Pope" <[email protected]> > > Cc: <[email protected]> > > Sent: Monday, February 05, 2001 6:42 PM > > Subject: RE: [FW1] FireWall-1 and Dual CPU machine > > > > > > > > > > I did notice a version of the Luna VPN driver optimized for the dormant > > > CPU. Seeing as how a relatively fast UltraSPARC can effectively dust the > > > StrongARM on the Chrysalis-ITS, it may be worth a looksee for people who > > > ended up purchasing a multi-CPU system for their firewall... > > > > > > -peter > > > > > > On Mon, 5 Feb 2001, William Pope wrote: > > > > > > > > > > > I do not think that Checkpoint has released a multithreaded version of > > > > Firewall-1 yet. I have had some luck using pbind & renice to force the > > > > Checkpoint services to the second processor leaving the first for the > > O/S. > > > > > > > > -----Original Message----- > > > > From: [email protected] > > > > [mailto:[email protected]]On Behalf Of > > Vincent, > > > > Mike > > > > Sent: Monday, February 05, 2001 10:59 AM > > > > To: 'Damon Starkey '; ''Arie Gilboa' '; ''fw-1 Mailinglis' ' > > > > Subject: RE: [FW1] FireWall-1 and Dual CPU machine > > > > > > > > > > > > > > > > Checkpoint did release a multi-threaded device driver to accelerate > > > > encryption and decryption on SMP SPARC/Solaris and Windows NT systems. > > > > > > > > -----Original Message----- > > > > From: Damon Starkey > > > > To: 'Arie Gilboa'; 'fw-1 Mailinglis' > > > > Sent: 2/5/01 10:15 AM > > > > Subject: RE: [FW1] FireWall-1 and Dual CPU machine > > > > > > > > I was told no when I went through the Checkpoint Certification. It > > > > benefits from a good amount of memory. > > > > > > > > Damon Starkey > > > > Network Administrator > > > > Digital Access Corporation > > > > > > > > -----Original Message----- > > > > From: Arie Gilboa [mailto:[email protected]] > > > > Sent: Monday, February 05, 2001 9:44 AM > > > > To: 'fw-1 Mailinglis' > > > > Subject: [FW1] FireWall-1 and Dual CPU machine > > > > > > > > Hello!, > > > > I would like to instal CP-2000 on Dual CPU Solaris machine. > > > > Does CP-2000 software know to use more than one CPU ?. Is there any > > > > special configuration which should be done ?. > > > > > > > > Thanks, > > > > Arie Gilboa > > > > > > > > > > > > > > ============================================================================ > > > > ==== > > > > To unsubscribe from this mailing list, please see the instructions > > at > > > > http://www.checkpoint.com/services/mailing.html > > > > > > ============================================================================ > > > > ==== > > > > > > > > > > > > > > > > > > ============================================================================ > > ==== > > > > To unsubscribe from this mailing list, please see the instructions > > at > > > > http://www.checkpoint.com/services/mailing.html > > > > > > ============================================================================ > > ==== > > > > > > > > > > > > > > > > > > ============================================================================ > > ==== > > > To unsubscribe from this mailing list, please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > > > ============================================================================ > > ==== > > > > > > > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
