Checkpoint concurrent sessions and memory calculation / How to define connections capacity for available RAM on Firewall?

How do I make FireWall-1 Support More Connections? (FireWall-1 Performance Tuning)

Product: VPN-1 Power/UTM Version: All Last Modified: 14-Apr-2009

Solution

General Performance Considerations Followings are general recommendations that can significantly improve the VPN-1 performance: Always use the latest versions of Check Point & IPSO versions Place the most commonly accessed rules on top of the rulebase Keep the rulebase small & simple. Reduce the number of rules by combining similar rules together Disable any FireWall-1 implied rules that you do not need If not using VPN (encryption) on the module, make sure the VPN-1 Power product is disabled on that module If using VPN, use AES-128 instead of 3DES or AES-256 To improve VPN performance, use VPN Hardware Accelerator card. Avoid using Domain objects Use Networks instead of address ranges in NAT Disable Decrypt on accept property if not using VPN (encryption) Keep logging to a minimum When LDAP server as user database minimize the number of groups SecureXL/Flows Make sure SecureXL mechanism is enabled. This will optimize the flow of certain types of packets. For more details, refer to KB1354215. nokia[admin]# fwaccel stat Accelerator Status : on Templates : enabled Accelerator Features : Accounting, NAT, Cryptography, Routing, HasClock, Templates, VirtualDefrag, GenerateIcmp, IdleDetection, Sequencing, TcpStateDetect, AutoExpire, DelayedNotif, McastRouting, WireMode Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL, 3DES, DES, ESP, LinkSelection, DynamicVPN, NatTraversal, EncRouting For IPSO 3.8 and above: This can be enabled with cpconfig option to 'Enable Check Point SecureXL' For IPSO-3.7 and IPSO-3.7.1, Make sure FLOWS mechanism is enabled On Nokia console run: nokia[admin]# ipsofwd list net:ip:forward:noforwarding = 0 net:ip:forward:noforwarding_author = fwstart net:ip:forward:switch_mode = flowpath net:ip:forwarding = 1 Note- if switch_mode is not flowpath, then set the switch_mode to FLOWS as below: nokia[admin]# ipsctl -w net:ip:forward:switch_mode "flowpath" Increasing Connections Table Expanding the VPN-1 concurrent connections limits - tuning the table space, hash and memory allocations In NG versions of VPN-1 product, the concurrent connections limits can be tuned per enforcement module via the Check Point GUI Client interface. In Check Point Gateway Properties > Capacity Optimization, set the supported number of concurrent connections to a maximum you foresee for you VPN-1 installation (allow for a sufficient margin). Also specify the size of the connections hash table as well as the default and maximal enforcement module memory pool sizes. Again, allow for sufficient margins. For large connection table size, Nokia recommends to set it manually, using the following table: Table 1 Disk-Based IP Security Platforms DRAM CP Max Conns CP Max Conns with Web Intelligence Hash Table size Memory Pool Size Max Memory Pool size 256 MB 36,000 2 MB 48 MB 64 MB 512 MB 135,000 39,000 4 MB 196 MB 256 MB 1 GB 360,000 127,000 8 MB 400 MB 512 MB 2 GB 725,000 304,000 16 MB 800 MB 900 MB Table 2 Flash-Based IP security Platforms: DRAM CP Max Conns CP Max Conns with Web Intelligence Hash Table size Memory Pool size Max Memory Pool size 512 MB * 90,000 39,000 4 MB 128 MB 196 MB 1 GB 225,000 112,000 8 MB 256 MB 400 MB 2 GB 725,000 304,000 16 MB 800 MB 900 MB Note: (*) 512MB PCMCIA card required on the IP265 in order to achieve the number (39,000) above. In case you need to customize these settings, use the following data to determine the exact value as per your need: Memory Requirements for FireWall-1 NG/NGX The memory required depends on the kind of connections used: For simple connections (accept), overhead_per_connection is ~325 bytes For NAT'ed connections: overhead_per_connection is ~542 bytes For Resources: overhead_per_connection is ~401 bytes For VPN: overhead_per connection is ~399 bytes For general overhead: 6mb Assuming the worst case scenario (NAT): fwhmem = 6mb + 542 * connections_limit For 100000 connections it is: 6144*1024 + 542*100000 = 60491456 (57.6 MB) Keep in mind that FireWall-1 doesn't actually release the memory used for a TCP connection until about a minute after the connection ends. You should take this into account when planning how many connections you expect to handle. IPSO Flows-Specific Suggestions If you are not using SecureXL and instead using FLOWS- along with adjusting the VPN-1 connections table size, expand the FLOWS tables: By default, Nokia FLOWS tables canhold up to 131,072 connections without NAT or 65536 NAT-ed connections. To adjust the FLOWS table size do the following (in /var/etc/rc.local): nokia[admin]# ipsctl -w net:ip:flow:flows_max_nexthops xxx (xxx <> Security Servers run several instances of security servers, in case of HTTP security server, in $FWDIR/conf/fwauthd.conf: 80 in.ahttpd wait -4 Along with the change above, increase the per-system open files limit to support 4 HTTP security servers: nokia[admin]# ipsctl -w kern:maxfiles 16384 (can be added to the /var/etc/rc.localfile) You should also increase the Maximum Segment Size in Nokia IPSO. In IPSO 3.7 and later, the MSS setting can be configured in the Advanced System Tuning page of the System Configuration section of Nokia Network Voyager. The default MSS size is now 1024. Change this to 1460.