Thursday, May 27, 2010

Checkpoint concurrent sessions and memory calculation / How to define connections capacity for available RAM on Firewall?

Solution ID: sk39777 Average Rating:
How do I make FireWall-1 Support More Connections? (FireWall-1 Performance Tuning)

Product: VPN-1 Power/UTM
Version: All
Last Modified: 14-Apr-2009
General Performance Considerations

Followings are general recommendations that can significantly improve the VPN-1 performance:


Make sure SecureXL mechanism is enabled. This will optimize the flow of certain types of packets. For more details, refer to KB1354215.

nokia[admin]# fwaccel stat

Accelerator Status : on

Templates : enabled

Accelerator Features : Accounting, NAT, Cryptography, Routing,

HasClock, Templates, VirtualDefrag, GenerateIcmp,

IdleDetection, Sequencing, TcpStateDetect,

AutoExpire, DelayedNotif, McastRouting,


Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,

3DES, DES, ESP, LinkSelection, DynamicVPN,

NatTraversal, EncRouting

For IPSO 3.8 and above: This can be enabled with cpconfig option to 'Enable Check Point SecureXL'

For IPSO-3.7 and IPSO-3.7.1, Make sure FLOWS mechanism is enabled

On Nokia console run:

nokia[admin]# ipsofwd list

net:ip:forward:noforwarding = 0

net:ip:forward:noforwarding_author = fwstart

net:ip:forward:switch_mode = flowpath

net:ip:forwarding = 1

Note- if switch_mode is not flowpath, then set the switch_mode to FLOWS as below:

nokia[admin]# ipsctl -w net:ip:forward:switch_mode "flowpath"

Increasing Connections Table

Expanding the VPN-1 concurrent connections limits - tuning the table space, hash and memory allocations

In NG versions of VPN-1 product, the concurrent connections limits can be tuned per enforcement module via the Check Point GUI Client interface. In Check Point Gateway Properties > Capacity Optimization, set the supported number of concurrent connections to a maximum you foresee for you VPN-1 installation (allow for a sufficient margin). Also specify the size of the connections hash table as well as the default and maximal enforcement module memory pool sizes. Again, allow for sufficient margins.

For large connection table size, Nokia recommends to set it manually, using the following table:

Table 1 Disk-Based IP Security Platforms

DRAM CP Max Conns CP Max Conns with Web Intelligence Hash Table size Memory Pool Size Max Memory Pool size
256 MB 36,000 2 MB 48 MB 64 MB
512 MB 135,000 39,000 4 MB 196 MB 256 MB
1 GB 360,000 127,000 8 MB 400 MB 512 MB
2 GB 725,000 304,000 16 MB 800 MB 900 MB

Table 2 Flash-Based IP security Platforms:

DRAM CP Max Conns CP Max Conns with Web Intelligence Hash Table size Memory Pool size Max Memory Pool size
512 MB * 90,000 39,000 4 MB 128 MB 196 MB
1 GB 225,000 112,000 8 MB 256 MB 400 MB
2 GB 725,000 304,000 16 MB 800 MB 900 MB

Note: (*) 512MB PCMCIA card required on the IP265 in order to achieve the number (39,000) above.

In case you need to customize these settings, use the following data to determine the exact value as per your need:

Memory Requirements for FireWall-1 NG/NGX

The memory required depends on the kind of connections used:

Assuming the worst case scenario (NAT):

fwhmem = 6mb + 542 * connections_limit

For 100000 connections it is:

6144*1024 + 542*100000 = 60491456 (57.6 MB)

Keep in mind that FireWall-1 doesn't actually release the memory used for a TCP connection until about a minute after the connection ends. You should take this into account when planning how many connections you expect to handle.

IPSO Flows-Specific Suggestions

If you are not using SecureXL and instead using FLOWS- along with adjusting the VPN-1 connections table size, expand the FLOWS tables:

By default, Nokia FLOWS tables canhold up to 131,072 connections without NAT or 65536 NAT-ed connections. To adjust the FLOWS table size do the following (in /var/etc/rc.local):

nokia[admin]# ipsctl -w net:ip:flow:flows_max_nexthops xxx (xxx < 2,097,151)

Security Servers

run several instances of security servers, in case of HTTP security server, in $FWDIR/conf/fwauthd.conf:

80 in.ahttpd wait -4

Along with the change above, increase the per-system open files limit to support 4 HTTP security servers:

nokia[admin]# ipsctl -w kern:maxfiles 16384 (can be added to the /var/etc/rc.local file)

You should also increase the Maximum Segment Size in Nokia IPSO. In IPSO 3.7 and later, the MSS setting can be configured in the Advanced System Tuning page of the System Configuration section of Nokia Network Voyager. The default MSS size is now 1024. Change this to 1460.

No comments: