| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Solution | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
General Performance Considerations Followings are general recommendations that can significantly improve the VPN-1 performance:
SecureXL/FlowsMake sure SecureXL mechanism is enabled. This will optimize the flow of certain types of packets. For more details, refer to KB1354215.
For IPSO 3.8 and above: This can be enabled with cpconfig option to 'Enable Check Point SecureXL' For IPSO-3.7 and IPSO-3.7.1, Make sure FLOWS mechanism is enabled On Nokia console run: nokia[admin]# ipsofwd list Note- if switch_mode is not flowpath, then set the switch_mode to FLOWS as below: nokia[admin]# ipsctl -w net:ip:forward:switch_mode "flowpath" Increasing Connections TableExpanding the VPN-1 concurrent connections limits - tuning the table space, hash and memory allocations In NG versions of VPN-1 product, the concurrent connections limits can be tuned per enforcement module via the Check Point GUI Client interface. In Check Point Gateway Properties > Capacity Optimization, set the supported number of concurrent connections to a maximum you foresee for you VPN-1 installation (allow for a sufficient margin). Also specify the size of the connections hash table as well as the default and maximal enforcement module memory pool sizes. Again, allow for sufficient margins. For large connection table size, Nokia recommends to set it manually, using the following table: Table 1 Disk-Based IP Security Platforms
Table 2 Flash-Based IP security Platforms:
Note: (*) 512MB PCMCIA card required on the IP265 in order to achieve the number (39,000) above. In case you need to customize these settings, use the following data to determine the exact value as per your need: Memory Requirements for FireWall-1 NG/NGXThe memory required depends on the kind of connections used:
fwhmem = 6mb + 542 * connections_limit For 100000 connections it is: 6144*1024 + 542*100000 = 60491456 (57.6 MB) Keep in mind that FireWall-1 doesn't actually release the memory used for a TCP connection until about a minute after the connection ends. You should take this into account when planning how many connections you expect to handle. IPSO Flows-Specific SuggestionsIf you are not using SecureXL and instead using FLOWS- along with adjusting the VPN-1 connections table size, expand the FLOWS tables: By default, Nokia FLOWS tables canhold up to 131,072 connections without NAT or 65536 NAT-ed connections. To adjust the FLOWS table size do the following (in /var/etc/rc.local):
Security Servers
run several instances of security servers, in case of HTTP security server, in $FWDIR/conf/fwauthd.conf: 80 in.ahttpd wait -4 Along with the change above, increase the per-system open files limit to support 4 HTTP security servers:
You should also increase the Maximum Segment Size in Nokia IPSO. In IPSO 3.7 and later, the MSS setting can be configured in the Advanced System Tuning page of the System Configuration section of Nokia Network Voyager. The default MSS size is now 1024. Change this to 1460. |
Labels
- Cheat Sheets (7)
- Checkpoint (159)
- Cisco (24)
- Commands (5)
- Fortigate (2)
- Frame-Relay (9)
- Linux (3)
- Netscaler (29)
- Netscreen (2)
- Nokia (7)
- UNIX (2)
Live Traffic
Checkpoint concurrent sessions and memory calculation / How to define connections capacity for available RAM on Firewall?
5/27/2010 05:16:00 AM
Posted by MK | Filed Under Checkpoint | 1 Comments
Comments
Search This Blog
Blog Archive
-
▼
2010
(146)
-
▼
May
(90)
- Checkpoint - Ports
- UNIX - The Ultimate Linux Command Reference Guide
- Checkpoint - Useful Files
- Checkpoint Commands
- Alw@ys Knw Wh@ts Happening inside your KERNEL - “A...
- Nokia - Cluster Mac Address - "Grep" Strikes Again...
- Traceroute from Unix
- Checkpoint Logging Issue
- Change Date in Linux
- Finding Smartcenter Server - from Gateway
- SPLAT - Forgot Standard Password
- Checkpoint : fw ctl pstat ???
- GRE is like Girls!!! - GRE Tunnel in IPSEC - there...
- Checkpoint : How to Find the the Management Interface
- Checkpoint Troubleshooting - Debugging
- SSH session timeout in Checkpoint NG/NGX
- Manage VPN tunnels smartly: forget vpn tu,enter th...
- Clear ARP table in Checkpoint
- Mail alert on ssh login or any other rule hit in C...
- What ports are used for communication and how to p...
- fw monitor add-on
- awk weekly – how to see Checkpoint logs on command...
- awk weekly – rule hits statistics . Checkpoint again
- Install native telnet client on Checkpoint firewall
- Telnet from inside Checkpoint firewall
- fw ctl or checkpoint tables by any other name
- Authenticating ssh access on the Checkpoint using ...
- How to add routing script on Secureplatform?
- Checkpoint concurrent sessions and memory calculat...
- Capazity Optimization
- My favorite troubleshooting command
- Neighbour table overflow
- SecurePlatform and NTP
- Delete old log files on SPLAT machines
- Delete all ARP entries on SPLAT
- Download backup from SmartCenter using SCP
- Change password on non-admin user in SPLAT
- How to run web visualization tool in check point??
- How to configure SmartView Monitor Mail Alert in C...
- fw monitor command reference
- NetScaler Password Recovery Procedure
- Installing and Configuring VSX
- Citrix Access Gateway Enterprise - Redirect incomi...
- Enabling LDAP Authentication on the NetScaler
- Citrix Netscaler NS7000 : how to create a content ...
- Citrix Netscaler NS7000 : how to create a content ...
- Cisco VPN Troubleshooting Guide
- Usefull Checkpoint Commands
- Checkpoint FW Monitor
- Causes for a failover when using VRRP
- Usefull Nokia IPSO Commands
- Checkpoint Tables and the FW Tab Command
- Common CLISH Commands
- Installing and Configuring VSX
- So what are QDROPS anyway
- Clearing the host table on Checkpoint
- Provider-1 Quick Guide
- When are Proxy Arps required on Checkpoint devices
- Unable to delete tunnels on a Checkpoint VIA VPN TU?
- Checkpoint VPN stats
- View Checkpoint VPN traffic decrypted on the wire
- View last 10 policies installed on a Checkpoint fi...
- How to view Checkpoint tables in ASCII
- Checkpoint Splat source based routing
- Trobleshooting the Checkpoint Daemon (CPD)
- Checkpoint port list
- Modifying the SPLAT Webmanager port
- Creating a Read Only SPLAT user
- Configuring SNMP on SPLAT
- Allowing scp to SPLAT boxes
- Resolving local logging issues on Checkpoint
- How to globally change the expiration date of all ...
- rtm monitor in Checkpoint
- Everything you need to know about troubleshooting ...
- SPLAT - Route / Static ARP startup Script
- How do I change an IP address on a IPSO Nokia Fire...
- How do I create an IPSO backup via clish ?
- Nokia IPSO Password Recovery
- Useful Netscreen Commands for Troubleshooting
- How to Find the Speed of an Interface on a Solaris...
- How to Install Checkpoint Firewall NGX on SecurePl...
- How to fix Check Point High Availability State Syn...
- Basic Netscreen Commands
- Re-establishing SIC (Secure Internal Communication...
- Cisco site to site VPN Configuration Cheatsheet
- Troubleshooting VRRP on Nokia Checkpoint Firewalls
- Usefull Nokia IPSO Commands
- Nokia Top Clish Commands Reference
- IPSO - Commands
- Checkpoint - Commands
-
▼
May
(90)
your post is really too informative.. and interesting..
Family Law Bradford
Personal injury Bradford
Personal Injury Solicitor Bradford