[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] FireWall-1 and Dual CPU machine
VPN is still a security server process. It is not the inspection code itself, which is what constitutes a FireWall. Again, Inspect engine=Firewall=non-multithreaded Securityservers=ufp/cvp/vpn=added functionality pieces=userconfigurable. But thanks for the input. CT "Vincent, Mike" wrote: > That is mostly true. Under 4.1 with Service Pack 3 and VPNx (free download > >from Checkpoint) installed encryption/decryption is multi-threaded on > Solaris and Windows NT. > > -----Original Message----- > From: CryptoTech > To: [email protected] > Cc: [email protected] > Sent: 2/10/01 11:23 PM > Subject: Re: [FW1] FireWall-1 and Dual CPU machine > > <rant> > Come on people, HOW MANY TIME DOES IT HAVE TO BE STATED----- > > FIREWALL-1 IS NOT MULTITHREADED. If you run security servers, they can > run multiple > instances with each bound to a separate processor, but the core code is > NOT > multithreaded. > > </rant> > Seriously, the documentation will make this clear. > > [email protected] wrote: > > > fyi, > > > > linux 2.4.1 kernel has MUCH better networking stats, and infact its > > multithreaded... from what I understand. > > > > On Sat, 10 Feb 2001, Peter Lukas wrote: > > > > > > > > Even with a GigE adapter, the bottleneck is the processor as it > crunches > > > through the policy. > > > > > > The newer 900MHz UltraIII's would most likely enable you to approach > the > > > capacity of the 100Mbps ethernet adapter, but for sustained > throughput, it > > > may not come close. > > > > > > Some of the newer GHz x86 processors could probably tap a keg of > whoopass > > > on crunching through the policy and you may approach 100Mbps and > > > beyond. You'd then need to bundle into that configuration some > speedy > > > memory, etc. > > > > > > The newer processors from AMD and (when they get their act together) > Intel > > > are capable of crunching through policy relatively well. Add that > with > > > faster memory, etc (should DDR-SDRAM materialize), and your x86 > firewall > > > will most likely smoke a Solaris/Sun-Based firewall. > > > > > > The real problem here is that you only have Linux or NT on which to > run > > > CP. Since neither can handle packets as well as Solaris, and Nokia > > > selfishly clings to their IPSO/FreeBSD CP binary, we don't have a > > > more efficient OS to slap atop this newer, speedier hardware. > > > > > > Either we pressure Nokia/CP to release native *BSD binaries of their > > > product, or we wait for Nokia to "support" better and more capable > > > hardware. > > > > > > Peter Lukas > > > > > > On Tue, 6 Feb 2001, Craig Skelton wrote: > > > > > > > > > > > Couldn't agree more. The ultra60 is such a nice desktop :). I > fully believe > > > > in single purpose firewalls. Why waste cpu cycles on any other > task. > > > > > > > > Have you tried any gigbit adapters at fast ethernet speeds? (Or > has anyone?) > > > > I'm wondering if that is not the *best* way to get maximum > performance. > > > > > > > > Has anybody got any references for how disk speed affects fw1? I'm > assuming > > > > that the faster the drive, the faster the logging. Does that > increase fw1 > > > > performance at all? I would think that it would at least reduce > the memory > > > > footprint a bit (If log entries are buffered in memory before > being > > > > written.) Comments anyone? > > > > > > > > Cheers, > > > > Craig > > > > > > > > ----- Original Message ----- > > > > From: "Peter Lukas" <[email protected]> > > > > To: "Craig Skelton" <[email protected]> > > > > Cc: "William Pope" <[email protected]>; > <[email protected]>; > > > > <[email protected]> > > > > Sent: Tuesday, February 06, 2001 6:43 AM > > > > Subject: Re: [FW1] FireWall-1 and Dual CPU machine > > > > > > > > > > > > > THis is precisely what the Nokia folks realized in their > devices. A > > > > > celeron with 64MB is going to do just as well when pusing policy > as a Sun > > > > > Ultra60 (can you believe these are being used as firewalls? > Nice graphics > > > > > on your "headless" firewall). > > > > > > > > > > PCI is PCI is PCI - for the most part at least. Some > implementations > > > > > leave much to be desired (thanks 810). > > > > > > > > > > However, the SunQFE can ride the 66MHz 64-bit PCI bus if > configured > > > > > properly. That'll provide some improvement over the 33MHz > jalopy riding > > > > > the Nokia Intel MB. I believe the Micron folks implemented a > Samauri > > > > > chipset (a pre-AGP concoction) which accomplished the same > thing. On the > > > > > downside, the extremely high markup of the four Intel speedo's > with a Sun > > > > > emblem on the Sun QFE is ludicrous. Looks like they fostered > the Nokia > > > > > markup as well. > > > > > > > > > > I've had a relatively high failure rate on the Luna PCI adapter > (see > > > > > previous threads of failing Luna PCI's with an "E.T." syndrome). > The > > > > > point of the post was that the UltraSPARC can be much faster > than the > > > > > Intel SA-110 on the LUNA PCI adapter. I'm not sure how the > "Soft" LUNA is > > > > > licensed. This only benefits VPN users who were conned into > buying SMP > > > > > powerhouses for their firewall device, though. > > > > > > > > > > -pl > > > > > > > > > > On Tue, 6 Feb 2001, Craig Skelton wrote: > > > > > > > > > > > Memory, bus speed, adapter speed, and base processor speed are > the > > > > biggest > > > > > > factors in FW1 performance. > > > > > > > > > > > > The Luna VPN card will increase preformance only if you are > implemeting > > > > a > > > > > > VPN. If you don't plan on using an IKE or IPSEC VPN then it > won't do > > > > > > anything for you. (Although they are cool if you do.) > > > > > > > > > > > > One thing people missed is the bus speed of your machine. This > is a big > > > > > > deal. You should examine the bus speed of the machine, and the > ability > > > > of > > > > > > the ethernet adapters to utilize that top speed. Some docs > suggest that > > > > > > gigabit cards will support slightly higher speeds even when > run at Fast > > > > > > Ethernet speeds. Stands to reason that the higher the > performace > > > > capability, > > > > > > the better the performance at nominal speeds. Obviously, if > you already > > > > own > > > > > > the machine, then you might not get to choose, but a slow bus > speed > > > > might > > > > > > mean that you are better off upgrading now (or that the second > proc > > > > won't > > > > > > matter). > > > > > > > > > > > > For dual cpu info, you should check the doc at: > > > > > > > > > > > http://www.checkpoint.com/techsupport/documentation/FW-1_VPN-1_performan > ce.h > > > > > > tml > > > > > > "SMP (2-4 CPUs) has the most effect on Resource and VPN > policies > > > > performance > > > > > > (up to 35-54% performance improvement). Make sure to run > multiple > > > > instances > > > > > > of security servers (see the VPN-1 Tuning chapter). " > > > > > > > > > > > > If you run lots of security servers, or have many people > viewing > > > > logfiles > > > > > > (nt clients being worse than command line warriors) then the > dual cpu > > > > will > > > > > > really help. Especially if they are not too good at refining > their > > > > > > selections. Obviously, the kernel modules are monolithic (most > likely > > > > due to > > > > > > severe security issues in multi-threaded kernel mods). The > security > > > > servers > > > > > > and other portions of vpn1/fw1 are not. (pbind etc. to take > advantage.) > > > > You > > > > > > should run multiple instances to increase preformance. > Multiple > > > > instances > > > > > > will ensure that the second cpu is truely utilized (at least > on > > > > solaris.). I > > > > > > doubt there is much need for more than a dual box. > > > > > > > > > > > > As far as I am aware, there are no specific dual processor > tuning points > > > > for > > > > > > fw-1 on solaris (if you hear of any, let me know.) You might > want to > > > > take a > > > > > > look at sunsolve.sun.com for the doc id 1442 (white papers/ > tech > > > > bulletins). > > > > > > > > > > > > Cheers, > > > > > > Craig > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Peter Lukas" <[email protected]> > > > > > > To: "William Pope" <[email protected]> > > > > > > Cc: <[email protected]> > > > > > > Sent: Monday, February 05, 2001 6:42 PM > > > > > > Subject: RE: [FW1] FireWall-1 and Dual CPU machine > > > > > > > > > > > > > > > > > > > > > > > > > > I did notice a version of the Luna VPN driver optimized for > the > > > > dormant > > > > > > > CPU. Seeing as how a relatively fast UltraSPARC can > effectively dust > > > > the > > > > > > > StrongARM on the Chrysalis-ITS, it may be worth a looksee > for people > > > > who > > > > > > > ended up purchasing a multi-CPU system for their firewall... > > > > > > > > > > > > > > -peter > > > > > > > > > > > > > > On Mon, 5 Feb 2001, William Pope wrote: > > > > > > > > > > > > > > > > > > > > > > > I do not think that Checkpoint has released a > multithreaded version > > > > of > > > > > > > > Firewall-1 yet. I have had some luck using pbind & renice > to force > > > > the > > > > > > > > Checkpoint services to the second processor leaving the > first for > > > > the > > > > > > O/S. > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > From: [email protected] > > > > > > > > [mailto:[email protected]]On > Behalf Of > > > > > > Vincent, > > > > > > > > Mike > > > > > > > > Sent: Monday, February 05, 2001 10:59 AM > > > > > > > > To: 'Damon Starkey '; ''Arie Gilboa' '; ''fw-1 Mailinglis' > ' > > > > > > > > Subject: RE: [FW1] FireWall-1 and Dual CPU machine > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Checkpoint did release a multi-threaded device driver to > accelerate > > > > > > > > encryption and decryption on SMP SPARC/Solaris and Windows > NT > > > > systems. > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > From: Damon Starkey > > > > > > > > To: 'Arie Gilboa'; 'fw-1 Mailinglis' > > > > > > > > Sent: 2/5/01 10:15 AM > > > > > > > > Subject: RE: [FW1] FireWall-1 and Dual CPU machine > > > > > > > > > > > > > > > > I was told no when I went through the Checkpoint > Certification. It > > > > > > > > benefits from a good amount of memory. > > > > > > > > > > > > > > > > Damon Starkey > > > > > > > > Network Administrator > > > > > > > > Digital Access Corporation > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > From: Arie Gilboa [mailto:[email protected]] > > > > > > > > Sent: Monday, February 05, 2001 9:44 AM > > > > > > > > To: 'fw-1 Mailinglis' > > > > > > > > Subject: [FW1] FireWall-1 and Dual CPU machine > > > > > > > > > > > > > > > > Hello!, > > > > > > > > I would like to instal CP-2000 on Dual CPU Solaris > machine. > > > > > > > > Does CP-2000 software know to use more than one CPU ?. Is > there any > > > > > > > > special configuration which should be done ?. > > > > > > > > > > > > > > > > Thanks, > > > > > > > > Arie Gilboa > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ======================================================================== > ==== > > > > > > > > ==== > > > > > > > > To unsubscribe from this mailing list, please see the > > > > instructions > > > > > > at > > > > > > > > > http://www.checkpoint.com/services/mailing.html > > > > > > > > > > > > > > > > > > > ======================================================================== > ==== > > > > > > > > ==== > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ======================================================================== > ==== > > > > > > ==== > > > > > > > > To unsubscribe from this mailing list, please see the > > > > instructions > > > > > > at > > > > > > > > > http://www.checkpoint.com/services/mailing.html > > > > > > > > > > > > > > > > > > > ======================================================================== > ==== > > > > > > ==== > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ======================================================================== > ==== > > > > > > ==== > > > > > > > To unsubscribe from this mailing list, please see the > > > > instructions at > > > > > > > > http://www.checkpoint.com/services/mailing.html > > > > > > > > > > > > > > > > > > ======================================================================== > ==== > > > > > > ==== > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ======================================================================== > ======== > > > > To unsubscribe from this mailing list, please see the > instructions at > > > > http://www.checkpoint.com/services/mailing.html > > > > > ======================================================================== > ======== > > > > > > > > > > > > > > > > > ======================================================================== > ======== > > > To unsubscribe from this mailing list, please see the > instructions at > > > http://www.checkpoint.com/services/mailing.html > > > > ======================================================================== > ======== > > > > > > > -- > > --Paul > > > > > ======================================================================== > ======== > > To unsubscribe from this mailing list, please see the > instructions at > > http://www.checkpoint.com/services/mailing.html > > > ======================================================================== > ======== > > ======================================================================== > ======== > To unsubscribe from this mailing list, please see the instructions > at > http://www.checkpoint.com/services/mailing.html > ======================================================================== > ======== > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|