[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Checkpoint Sizing... HELP!

To: [email protected]
Subject: Re: [FW-1] Checkpoint Sizing... HELP!
From: Martin Hoz <[email protected]>
Date: Sun, 11 Nov 2001 18:57:46 -0600
Organization: Universidad Autonoma de Nuevo Leon
References: <[email protected]> <[email protected]> <[email protected]>
Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Chris Labatt-Simon - D&D Consulting wrote:
>

Hi Chris!

> We currently have a userbase of 15,000 users and are running the following:
>
> - Checkpoint VPN-1 4.1 SP4
> - Stonebeat Fullcluster 2.0
> - Two Sun Enterprise 250's, single 300Mhz processor, 1GB RAM, dual 18GB
> drives with Disksuite Mirroring
> - One Sun Ultra/2 for a management station
> - Five DMZs
> - Websense, running locally on each firewall with the firewall pointing to
> 127.0.0.1 for UFP Access
> - About 150 rules
> - A 6MB upstream/downstream pipe to AT&T
>
> We currently see (within stonebeat) about 75%-100% load on both
> firewalls.  If anyone else here has this number of users, how many
> firewalls do you currently have in place and of what type?  We are trying


You can get some clues from:
a) User sar to see what's loading your machines
b) Use iostat -xtc to see how's affecting mirroring to your I/O
performance,
        since on the past I see mirroring can cause low performance, specially
        if you have I/O to disk (not sure in your case, since you've the
        management in other machine).
c) See fw ctl pstat to get some clues about firewall's resources
consumption
d) User /usr/ucb/ps aux to see which processes are loading your machines


You can also see which rules are more used  and try to put them on
the top. Generally, you can also follow the performance recommendations
for your machines which appear on the Check Point's pages...

> to determine a new architecture which increases performance (substantially)
> while maintaining high availability.  A few of the things we can try today are:
>
> - Move Websense off of the firewalls (reduces high availability as 4.1 does
> not support load balancing across multiple servers)

Some kind of load balancing can be achieved for UFP and CVP servers from
4.1 SP2, see "Load Sharing" under the chapter about servers on the
Firewall manual (SecAdmin.pdf).

> - Purchase two more processors (one for each firewall) so the http security
> servers can multi-process (don't know how much performance this will
> actually add)

For Security Servers, more processors can improve performance. See the
same
manual on the Security Servers sections...

Hope this helps. Good luck!

- Mart�n.

--
Martin H. Hoz-Salvador
EX-A-IEC, EX-A-FIME
http://gama.fime.uanl.mx/~mhoz

"Gimme a firewall sandwich with packet filter bread and
fast ethernet mustard. No pickles, please.� - A. A.
""'Firewall sandwich with load balancers' sounds good; I'll
 order two with extra mayonaise and a Coca Cola" - C. R. Wilson

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

Prev by Date: Re: [FW-1] Checkpoint NG SVN Foundation
Next by Date: [FW-1] Question about address scheme
Prev by thread: [FW-1] Question about address scheme
Next by thread: [FW-1] Throughput table of the FireWall-1
Index(es):
- Date
- Thread