Checkpoint concurrent sessions and memory calculation / How to define connections capacity for available RAM on Firewall?

How do I make FireWall-1 Support More Connections? (FireWall-1 Performance Tuning)

Product:VPN-1 Power/UTM
Version:All
Last Modified:14-Apr-2009
Solution

General Performance Considerations


Followings are general recommendations that can significantly improve the VPN-1 performance:



  • Always use the latest versions of Check Point & IPSO versions

  • Place the most commonly accessed rules on top of the rulebase

  • Keep the rulebase small & simple. Reduce the number of rules by combining similar rules together

  • Disable any FireWall-1 implied rules that you do not need

  • If not using VPN (encryption) on the module, make sure the VPN-1 Power product is disabled on that module

  • If using VPN, use AES-128 instead of 3DES or AES-256

  • To improve VPN performance, use VPN Hardware Accelerator card.

  • Avoid using Domain objects

  • Use Networks instead of address ranges in NAT

  • Disable Decrypt on accept property if not using VPN (encryption)

  • Keep logging to a minimum

  • When LDAP server as user database minimize the number of groups


SecureXL/Flows


Make sure SecureXL mechanism is enabled. This will optimize the flow of certain types of packets. For more details, refer to KB1354215.



nokia[admin]# fwaccel stat

Accelerator Status : on

Templates : enabled

Accelerator Features : Accounting, NAT, Cryptography, Routing,

HasClock, Templates, VirtualDefrag, GenerateIcmp,

IdleDetection, Sequencing, TcpStateDetect,

AutoExpire, DelayedNotif, McastRouting,

WireMode

Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,

3DES, DES, ESP, LinkSelection, DynamicVPN,


NatTraversal, EncRouting



For IPSO 3.8 and above: This can be enabled with cpconfig option to 'Enable Check Point SecureXL'


For IPSO-3.7 and IPSO-3.7.1, Make sure FLOWS mechanism is enabled


On Nokia console run:


nokia[admin]# ipsofwd list

net:ip:forward:noforwarding = 0

net:ip:forward:noforwarding_author = fwstart

net:ip:forward:switch_mode = flowpath


net:ip:forwarding = 1

Note- if switch_mode is not flowpath, then set the switch_mode to FLOWS as below:


nokia[admin]# ipsctl -w net:ip:forward:switch_mode "flowpath"

Increasing Connections Table


Expanding the VPN-1 concurrent connections limits - tuning the table space, hash and memory allocations


In NG versions of VPN-1 product, the concurrent connections limits can be tuned per enforcement module via the Check Point GUI Client interface. In Check Point Gateway Properties > Capacity Optimization, set the supported number of concurrent connections to a maximum you foresee for you VPN-1 installation (allow for a sufficient margin). Also specify the size of the connections hash table as well as the default and maximal enforcement module memory pool sizes. Again, allow for sufficient margins.


For large connection table size, Nokia recommends to set it manually, using the following table:


Table 1 Disk-Based IP Security Platforms


DRAM

CP Max Conns

CP Max Conns with Web Intelligence

Hash Table size

Memory Pool Size

Max Memory Pool size

256 MB

36,000

2 MB

48 MB

64 MB

512 MB

135,000

39,000

4 MB

196 MB

256 MB

1 GB

360,000

127,000

8 MB

400 MB

512 MB

2 GB

725,000

304,000

16 MB

800 MB

900 MB



Table 2 Flash-Based IP security Platforms:


DRAM

CP Max Conns

CP Max Conns with Web Intelligence

Hash Table size

Memory Pool size

Max Memory Pool size

512 MB *

90,000

39,000

4 MB

128 MB

196 MB

1 GB

225,000

112,000

8 MB

256 MB

400 MB

2 GB

725,000

304,000

16 MB

800 MB

900 MB


Note: (*) 512MB PCMCIA card required on the IP265 in order to achieve the number (39,000) above.


In case you need to customize these settings, use the following data to determine the exact value as per your need:


Memory Requirements for FireWall-1 NG/NGX



The memory required depends on the kind of connections used:



  • For simple connections (accept), overhead_per_connection is ~325 bytes

  • For NAT'ed connections: overhead_per_connection is ~542 bytes

  • For Resources: overhead_per_connection is ~401 bytes

  • For VPN: overhead_per connection is ~399 bytes

  • For general overhead: 6mb




Assuming the worst case scenario (NAT):


fwhmem = 6mb + 542 * connections_limit


For 100000 connections it is:


6144*1024 + 542*100000 = 60491456 (57.6 MB)

Keep in mind that FireWall-1 doesn't actually release the memory used for a TCP connection until about a minute after the connection ends. You should take this into account when planning how many connections you expect to handle.


IPSO Flows-Specific Suggestions



If you are not using SecureXL and instead using FLOWS- along with adjusting the VPN-1 connections table size, expand the FLOWS tables:


By default, Nokia FLOWS tables canhold up to 131,072 connections without NAT or 65536 NAT-ed connections. To adjust the FLOWS table size do the following (in /var/etc/rc.local):



nokia[admin]# ipsctl -w net:ip:flow:flows_max_nexthops xxx (xxx <>



Security Servers




run several instances of security servers, in case of HTTP security server, in $FWDIR/conf/fwauthd.conf:


80 in.ahttpd wait -4


Along with the change above, increase the per-system open files limit to support 4 HTTP security servers:



nokia[admin]# ipsctl -w kern:maxfiles 16384 (can be added to the /var/etc/rc.localfile)



You should also increase the Maximum Segment Size in Nokia IPSO. In IPSO 3.7 and later, the MSS setting can be configured in the Advanced System Tuning page of the System Configuration section of Nokia Network Voyager. The default MSS size is now 1024. Change this to 1460.

Comments

1 Response to "Checkpoint concurrent sessions and memory calculation / How to define connections capacity for available RAM on Firewall?"

sophia said... February 17, 2015 at 5:06 AM

your post is really too informative.. and interesting..
Family Law Bradford
Personal injury Bradford
Personal Injury Solicitor Bradford

Post a Comment

Search This Blog

Blog Archive

Total Pageviews