Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] AW: [FW-1] HTTP security server woes on NG... frustration level r ising...

To: [email protected]
Subject: Re: [FW-1] AW: [FW-1] HTTP security server woes on NG... frustration level r ising...
From: "Abe L. Getchell" <[email protected]>
Date: Fri, 7 Jun 2002 19:09:10 -0400
Comments: To: [email protected]
Importance: Normal
In-reply-to: <[email protected]>
Organization: -
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hey Don,
        The total number of concurrent connections, peak, through the
box including all other protocols has only been ~5600 today (we're
off-season right now - under normal load this number is MUCH higher).  I
assumed that the security servers were designed to handle this many
connections, if not more.  Am I wrong in this assumption?  I haven't
called Checkpoint because of this... especially given the hardware we're
on.  I've found that the 280R's are no slouches.
        Anywho, the configuration is pretty basic.  I applied most of
the tweaks that are found on this page
(http://www.checkpoint.com/techsupport/documentation/FW-1_VPN-1_performa
nce.html)... with the exception of spawning more than one ahttpd
process... which I have a question about.  It says to replace the "0" at
the end of the line with a "-2".  Is this correct, or do I just want to
add a "2"?  So, should the line in "/var/opt/CPfw1-50/conf/fwauthd.conf"
read:

80      fwssd       in.ahttpd       wait    -2

        Or:

80      fwssd       in.ahttpd       wait    2

        Which brings up another interesting question... do I only want
to spawn two ahttpd processes?  Sure the box only has two processors,
but if I need to spawn more processes to simply be able to handle the
number of connections, should I do so?
        From some newsgroup postings I've browsed through since the time
I sent my original note out, it appears that spawning more than one
security server may indeed solve (or greatly reduce) the number of
errors that the security server is generating.  Hopefully this is the
case.

Thanks,
Abe

--
Abe L. Getchell
Security Engineer
[email protected]


> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:[email protected]] On Behalf Of Don
> Sent: Friday, June 07, 2002 5:03 PM
> To: [email protected]
> Subject: Re: [FW-1] AW: [FW-1] HTTP security server woes on
> NG... frustration level r ising...
>
>
> >         The box in question is a SunFire 280R w/ dual 900MHz
> > UltraSPARC III processors, 2GB of memory, dual 10K 36GB internal
> > disks, and three NICs.  One of the NICs plugs into (for all
> practical
> > purposes) our Internet router, and the other two plug into
> different
> > internal networks.  There is an identical box running in
> parallel to
> > which connections are load balanced across.  All of the
> load balancing
> > is handled by hardware devices and thus we aren't running
> HA on either
> > firewall, they are acting as independent servers.  There are
> > approximately 3000 servers and 125,000 PC's on one of the internal
> > networks, and about 100 servers and 1000 users on the other
> internal
> > network.  We are trying to setup inbound URL filtering to
> stop certain
> > types of HTTP requests on the ingress.
> Abe,
>
> These numbers are strike me as being far in excess of
> anything CheckPoint ever had in mind when they created the
> security servers. Ccould you give us an idea of how many
> connections you are trying to push through the security
> server? Have you spoken to CheckPoint to see whether they
> feel the servers can handle such high capacity?
>
> Can you give us more information about the security server
> configuration? How many processes are you starting?
>
> -Don
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.htm> l
>
> =================================================
> If you
> have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] AW: [FW-1] HTTP security server woes on NG... frustration level r ising...
  - From: Don <[email protected]>

References:
- Re: [FW-1] AW: [FW-1] HTTP security server woes on NG... frustration level r ising...
  - From: Don <[email protected]>

Prev by Date: Re: [FW-1] Intrusion detection system!
Next by Date: Re: [FW-1] Defining network objects internal or external
Previous by thread: Re: [FW-1] AW: [FW-1] HTTP security server woes on NG... frustration level r ising...
Next by thread: Re: [FW-1] AW: [FW-1] HTTP security server woes on NG... frustration level r ising...
Index(es):
- Date
- Thread