Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] HTTP Security Server Performance with ~1800 connections

To: "'Greg Winkler'" <[email protected]>, [email protected]
Subject: RE: [FW1] HTTP Security Server Performance with ~1800 connections
From: "Hubbard, Dan" <[email protected]>
Date: Fri, 21 Sep 2001 07:37:01 -0700
Sender: [email protected]

Title: RE: [FW1] HTTP Security Server Performance with ~1800 connections

Greg;

We definitely have customers who have more than 3500 users behind there Firewall-1 box running the security servers with Websense.

Some tuning tips:

* bump up the http buffer size in the objects.c :http_buffer_size
* increase the amount of memory used by the kernel (see Phoneboy for FAQ).
* run multiple instances of the security server
* upgrade to 4.1 SP3
* most importantly use UFP Caching (note: the UFP vendor must support this)

UFP caching allows the Firewall to process "cached" UFP requests via inspect (ie: in kernel space), instead of at the application level (ie: HTTP sec. server). We have experienced dramatic performance increases with this on.

If you are using Websense please let me know and I will have someone contact you with additional details.

Thanks

-----Original Message-----
From: Greg Winkler [mailto:[email protected]]
Sent: Thursday, September 20, 2001 5:39 AM
To: [email protected]
Subject: [FW1] HTTP Security Server Performance with ~1800 connections

I am still struggling with high CPU use by the HTTP security servers. I
have been working with Checkpoint Israel for months and they are stumped.
The only solution offered is to throw a bigger (more cpu) server in place
of what I have. But I'm not convinced that would be a solution as the
number of connections running through this firewall don't appear to justify
more hardware.

I have about 3500 workstations sitting behind a 2 processor, 500mhz server
with 768mb of ram, running CP 4.1 (SP3) on NT 4.0, SP6a. I've charted the
values of the connections table every 15 seconds for weeks. With no
security servers involved we average 1800 or so connections. Most of our
traffic is HTTP. When I enable the HTTP security servers (i'm running one
on each processor) after about 10 minutes both processors max out at 100%
utiliazation and performance on the firewall goes down the drain. Looking
at task manager it is the individual security server processes that are
consuming all CPU.

Is anyone running this amount of workstations or connections thru their
firewall? Are you using the security servers? What processor, memory
configuration are you running?

----------------------------------------------------------------------------------------

Greg Winkler
Systems Manager, IT&S
Huntsman Corporation
Internet Mail: [email protected]
Voice:
Fax:

================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] NG on Nokia IP330
Next by Date: Re: [FW1] Installation on RedHat 7.1
Previous by thread: Re: [FW1] HTTP Security Server Performance with ~1800 connections
Next by thread: RE: [FW1] HTTP Security Server Performance with ~1800 connections
Index(es):
- Date
- Thread