NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Floodgate problems




Ashwin

Your h/w spec looks very borderline to me, depending on traffic levels etc. My very rough rule of thumb is that you need at least a PIII 500, 512Mb RAM and decent fast hard disk for Firewall plus Management Server. For Floodgate on top I would start to think about 1Gb RAM and maybe a VPN accelerator if you have heavy VPN.

In any case, from the information I have come across Checkpoint/Resellers insist (or at least highly recommend ?) that Fgate exist on same box as Fwall (if anyone knows better please post).

Notwithstanding the above, I would have thought that simple traffic loading rules shouldn't cause a huge problem - heck even an entry level Cisco router can cope with traffic shaping - certainly up to 2Mb's worth anyway. Then again the router isn't usually doing much else. If you have a heavily loaded Fwall then maybe the h/w isn't coping - have you had a look at your Fwall's performance stats ?


Tim


Ashwin Nand <[email protected]>
Sent by: [email protected]

11/06/01 22:41

       
        To:        "'[email protected]'" <[email protected]>
        cc:        "'[email protected]'" <[email protected]>, "'[email protected]'" <[email protected]>
        Subject:        RE: [FW1] Floodgate problems




Yes the external line is  64 Kbps line and I had incorrectly defined it on
the external/WAN interface .I've now defined both the Inbound/Outbound
Actives of the external interface to be 64 Kbps and the Real Time Monitor
appears to show traffic correctly for the enterprise as a whole.However
after assigning significant amount of b/width to my PC for HTTP/FTP (through
a large WEIGHT) all i see in the RTM for my
PC are very small bursts at irregular intervals and definitely not reaching
the b/width  i had hoped for . I 've even tried using guarantees' in various
combinations but still no significant differences in speed. I'm using Hiding
NAT for my PC.The box where FG-1 module is installed is also my FW-1 and
Management server. I hope installing e/thing on one box is not the cause of
any problems ?  


Correct fgate stats:

Getting FloodGate-1 Status from ntsrv003
CPQANC7: Policy httpGuarantee4ITC installed:
   There are 152 active conversations.
   (in) : Rate Limit=8192 Bps, Pending:0 pkt   <---------------- while we
are with this problem would
             Avg rate = 7178 Bps.
             NFlows=150, NPFlows=2                <-----------------s/one
please explain what NPFlows and
   (out): Rate Limit=8192 Bps, Pending:0 pkt                    Pending
packets are, and if i'm
             Avg rate = 1717 Bps.
correct to assume that the pending
             NFlows=151, NPFlows=0                                  packet
queue shouldn't be zero in this
Done.
case ??




Thanks

Ashwin N
ITC Services



-----Original Message-----
From: Matthias Leu [mailto:[email protected]]
Sent: Wednesday, 6 June 2001 10:55 PM
To: Ashwin Nand
Cc: '[email protected]'
Subject: Re: [FW1] Floodgate problems


Hi,
it seems to me that you have defined the NIC of the FG not correctly (?)
Your
settings seem ok, if you have a connection with 64k to the Internet.
If it's more, you should define this in the properties of your FW/FG (NWO -
yourFloodGate -  Interfaces - TrafficControl). It seems to me that you have
put here
64k as maximum of the NIC. So if you give 90% of the traffic to your PC, you
will
have 90% of the maximum defined for the interfaces of your FG (57.6k). Try
to turn
it to the "real" bandwidth you have and install the rulebase afterwards.
Hope it helps,
best regards
Matthias

Ashwin Nand wrote:

> I'm a total newbie with this particular module and am having major trouble
> with it at the moment.
>
> The Floodgate service has installed fine/running and "fgate stat" output
> looks ok also .
> My problen with Floodgate is that it seems to be completly ineffective in
> managing bandwidth(at least i think so)
> After dedicating 90 % of the bandwidth to the my PC for http , I don't
> notice any changes, speed improvement etc etc.
> Checking the log viewer reveals a lot of this  in the info column for
> Floodgate-1:
>
> "tc-action:no-control connid:xx
> ............................................."
>
> where xx=number
>       .....= some packet information
>
> "fgate stat" output:
> C:\>fgate stat
> Getting FloodGate-1 Status from ntsrv003
> CPQANC7: Policy httpGuarantee4ITC installed:
>     There are 171 active conversations.
>     (in) : Rate Limit=65536 Bps, Pending:0 pkts, 0 bytes
>               Avg rate = 7464 Bps.
>               NFlows=161, NPFlows=9
>     (out): Rate Limit=65536 Bps, Pending:0 pkts, 0 bytes
>               Avg rate = 10511 Bps.
>               NFlows=167, NPFlows=0
> Done.
>
> I'm running :Checkpoint 4.1/SP3 with FloodGate-1 SP3
> OS Software :NT 4.0 Server/SP 6a
> Hardware    :Compaq Proliant ML 370 Pentium III with 128MB RAM
> NICS        :Compaq NC3134 Fast Ethernet NICs
>
> Can someone help me please. Is this thing totally ineffective or am i
> missing out on something simple ?
>
> Ashwin N
> ITC Services
>
>
============================================================================
====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>
============================================================================
==== << File: Card for Matthias Leu >>


================================================================================
    To unsubscribe from this mailing list, please see the instructions at
              http://www.checkpoint.com/services/mailing.html
================================================================================



Attachment: smime.p7s
Description: S/MIME Cryptographic Signature



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.