[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Checkpoint Sizing... HELP!
Use something like Floodgate to improve access for the more important services. That way high bandwidth use isn't much of an issue, unless you get billed per byte ! I'd definitely move Websense elsewhere - maybe to your management station if resources are tight, but certainly NOT on the firewall AND load balanced ! -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Chris Labatt-Simon - D&D Consulting Sent: 23 October 2001 17:17 To: [email protected] Subject: [FW-1] Checkpoint Sizing... HELP! Suggestions here would be greatly appreciated. We currently have a userbase of 15,000 users and are running the following: - Checkpoint VPN-1 4.1 SP4 - Stonebeat Fullcluster 2.0 - Two Sun Enterprise 250's, single 300Mhz processor, 1GB RAM, dual 18GB drives with Disksuite Mirroring - One Sun Ultra/2 for a management station - Five DMZs - Websense, running locally on each firewall with the firewall pointing to 127.0.0.1 for UFP Access - About 150 rules - A 6MB upstream/downstream pipe to AT&T We currently see (within stonebeat) about 75%-100% load on both firewalls. If anyone else here has this number of users, how many firewalls do you currently have in place and of what type? We are trying to determine a new architecture which increases performance (substantially) while maintaining high availability. A few of the things we can try today are: - Move Websense off of the firewalls (reduces high availability as 4.1 does not support load balancing across multiple servers) - Purchase two more processors (one for each firewall) so the http security servers can multi-process (don't know how much performance this will actually add) - Upgrade to NG (adds UFP load balancing, but relatively untested and would be going into a very high load environment) Some of the other items we can look into is the purchase of additional firewalls, etc., but we would prefer to hear from people with a similar number of users first to determine how many firewalls we should potentially put in. Any help would be *greatly* appreciated. Thanks! Chris ----------------------------------------------------------------- Chris Labatt-Simon E-MAIL: [email protected] D & D Consulting, Ltd. WEB: http://www.dandd.com Albany, New York PHONE:INTERNET CORE AND SERVICE PROVIDER SERVICES/UNIX/SECURITY/WAN/LAN Authorized Juniper, Extreme Networks, F5 and Cisco Partners ISP/CLEC/LEC Networks at Wire Speed http://www.coreservice.com =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by Dimension Data mail system for the presence of computer viruses. www.uk.didata.com ********************************************************************** =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|