General Performance Considerations
Followings are general recommendations that can significantly improve the VPN-1 performance:
Make sure SecureXL mechanism is enabled. This will optimize the flow of certain types of packets. For more details, refer to KB1354215.
nokia[admin]# fwaccel stat
Accelerator Status : on
Templates : enabled
Accelerator Features : Accounting, NAT, Cryptography, Routing,
HasClock, Templates, VirtualDefrag, GenerateIcmp,
IdleDetection, Sequencing, TcpStateDetect,
AutoExpire, DelayedNotif, McastRouting,
WireMode
Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
3DES, DES, ESP, LinkSelection, DynamicVPN,
NatTraversal, EncRouting
For IPSO 3.8 and above: This can be enabled with cpconfig option to 'Enable Check Point SecureXL'
For IPSO-3.7 and IPSO-3.7.1, Make sure FLOWS mechanism is enabled
On Nokia console run:
nokia[admin]# ipsofwd list
net:ip:forward:noforwarding = 0
net:ip:forward:noforwarding_author = fwstart
net:ip:forward:switch_mode = flowpath
net:ip:forwarding = 1
Note- if switch_mode is not flowpath, then set the switch_mode to FLOWS as below:
nokia[admin]# ipsctl -w net:ip:forward:switch_mode "flowpath"
Expanding the VPN-1 concurrent connections limits - tuning the table space, hash and memory allocations
In NG versions of VPN-1 product, the concurrent connections limits can be tuned per enforcement module via the Check Point GUI Client interface. In Check Point Gateway Properties > Capacity Optimization, set the supported number of concurrent connections to a maximum you foresee for you VPN-1 installation (allow for a sufficient margin). Also specify the size of the connections hash table as well as the default and maximal enforcement module memory pool sizes. Again, allow for sufficient margins.
For large connection table size, Nokia recommends to set it manually, using the following table:
Table 1 Disk-Based IP Security Platforms
Table 2 Flash-Based IP security Platforms:
Note: (*) 512MB PCMCIA card required on the IP265 in order to achieve the number (39,000) above.
In case you need to customize these settings, use the following data to determine the exact value as per your need:
The memory required depends on the kind of connections used:
Assuming the worst case scenario (NAT):
fwhmem = 6mb + 542 * connections_limit
For 100000 connections it is:
6144*1024 + 542*100000 = 60491456 (57.6 MB)
Keep in mind that FireWall-1 doesn't actually release the memory used for a TCP connection until about a minute after the connection ends. You should take this into account when planning how many connections you expect to handle.
If you are not using SecureXL and instead using FLOWS- along with adjusting the VPN-1 connections table size, expand the FLOWS tables:
By default, Nokia FLOWS tables canhold up to 131,072 connections without NAT or 65536 NAT-ed connections. To adjust the FLOWS table size do the following (in /var/etc/rc.local):
nokia[admin]# ipsctl -w net:ip:flow:flows_max_nexthops xxx (xxx < 2,097,151)
run several instances of security servers, in case of HTTP security server, in $FWDIR/conf/fwauthd.conf:
80 in.ahttpd wait -4
Along with the change above, increase the per-system open files limit to support 4 HTTP security servers:
nokia[admin]# ipsctl -w kern:maxfiles 16384 (can be added to the /var/etc/rc.local file)
You should also increase the Maximum Segment Size in Nokia IPSO. In IPSO 3.7 and later, the MSS setting can be configured in the Advanced System Tuning page of the System Configuration section of Nokia Network Voyager. The default MSS size is now 1024. Change this to 1460. |
No comments:
Post a Comment