Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Checkpoint 4.1, SP3/4 load issues on Sun information and resoluti on of possible undocumented bug.

To: "'[email protected]'" <[email protected]>
Subject: [FW1] Checkpoint 4.1, SP3/4 load issues on Sun information and resoluti on of possible undocumented bug.
From: "Kalat, Andrew (ISS Atlanta)" <[email protected]>
Date: Tue, 28 Aug 2001 14:14:20 -0400
Sender: [email protected]

Hey everyone,
	I wanted to pass along something we learned while troubleshooting a
client's problem. If this is well known, sorry for the duplicate mail, but
it came as a surprise to us, and we were unable to locate any technical
documentation from Checkpoint on this issue. 

Environment:
Checkpoint 4.1, SP3 and SP4
Sun 220R with Solaris 2.7
2 450Mhz CPU's, 512 Meg of Ram

Firewall was running as perimeter for large network with a mix of both legal
and illegal IP space. Pushing maybe peek 8-10 megs a second. Also was doing
encryption to a dozen or so other firewalls, as well as a
SecuRemote/SecureClient concentrator. 

Problem:
The problem was first noticed after the management station (on a separate
host) was upgraded to SP4. The load on the firewall jumped dramatically, to
the point where packet loss was around 50% or greater. Load was seen in
excess of 7, with 100% cpu utilization.
Backing off to SP3, load, once monitored closely, was still seen very high.
Load average was around 1.5-2.0 with 90% cpu most of the work day. Ping
times across the firewall were in excess of 30MS, with packet loss at around
5%. 

After weeks with Checkpoint tech support, a senior technical person finally
gave us a clue on what the problem was.  

Resolution:
The customer had a large number of illegal networks. They had grouped these
into a single group object contain about 35 networks, including other nested
groups, for their Network Address Translation rules. Checkpoint indicated
that this can cause huge load issues in SP4, and some load issues in SP3.

We advised the client to split up the NAT rules into single network objects.
(FYI, you can only have 1 object in the source of a NAT rule)
This took their nat rules from about 6 to around 30.

Result was almost immediate. 

The box dropped from a load of 1.5 to .5, even as low as .3. Ping times
dropped to <10ms with 0 packet loss after 5000 ping tests. After a few days
of monitoring, client is reporting amazing increases in throughput and
performance. They have not yet tried reapplying SP4, but we are fairly
confident it should have no issues.

Summation:
Don't use group objects in your NAT rules. 

Hope this helps some of you out there. 

Thanks.
Andrew Kalat






================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Security problems (multiple logins) with client authentication
Next by Date: [FW1] Optimization??
Previous by thread: [FW1] Security problems (multiple logins) with client authentication
Next by thread: [FW1] Optimization??
Index(es):
- Date
- Thread