[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Checkpoint 4.1, SP3/4 load issues on Sun information and resoluti on of possible undocumented bug.
Hey everyone, I wanted to pass along something we learned while troubleshooting a client's problem. If this is well known, sorry for the duplicate mail, but it came as a surprise to us, and we were unable to locate any technical documentation from Checkpoint on this issue. Environment: Checkpoint 4.1, SP3 and SP4 Sun 220R with Solaris 2.7 2 450Mhz CPU's, 512 Meg of Ram Firewall was running as perimeter for large network with a mix of both legal and illegal IP space. Pushing maybe peek 8-10 megs a second. Also was doing encryption to a dozen or so other firewalls, as well as a SecuRemote/SecureClient concentrator. Problem: The problem was first noticed after the management station (on a separate host) was upgraded to SP4. The load on the firewall jumped dramatically, to the point where packet loss was around 50% or greater. Load was seen in excess of 7, with 100% cpu utilization. Backing off to SP3, load, once monitored closely, was still seen very high. Load average was around 1.5-2.0 with 90% cpu most of the work day. Ping times across the firewall were in excess of 30MS, with packet loss at around 5%. After weeks with Checkpoint tech support, a senior technical person finally gave us a clue on what the problem was. Resolution: The customer had a large number of illegal networks. They had grouped these into a single group object contain about 35 networks, including other nested groups, for their Network Address Translation rules. Checkpoint indicated that this can cause huge load issues in SP4, and some load issues in SP3. We advised the client to split up the NAT rules into single network objects. (FYI, you can only have 1 object in the source of a NAT rule) This took their nat rules from about 6 to around 30. Result was almost immediate. The box dropped from a load of 1.5 to .5, even as low as .3. Ping times dropped to <10ms with 0 packet loss after 5000 ping tests. After a few days of monitoring, client is reporting amazing increases in throughput and performance. They have not yet tried reapplying SP4, but we are fairly confident it should have no issues. Summation: Don't use group objects in your NAT rules. Hope this helps some of you out there. Thanks. Andrew Kalat ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|