Embed Size (px)
Citation preview
Performance PackAdministration Guide
Version R70
March 8, 2009
TM
© 2003-2009 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Please refer to http://www.checkpoint.com/copyright.html for a list of our trademarks
For third party notices, see http://www.checkpoint.com/3rd_party_copyright.html.
Table of Contents 5
Contents
Preface Who Should Use This Guide................................................................................ 8Summary of Contents ......................................................................................... 9Related Documentation .................................................................................... 10More Information ............................................................................................. 12Feedback ........................................................................................................ 13
Chapter 1 Introduction to Performance Pack Overview ......................................................................................................... 16Release Notes ................................................................................................. 17
Chapter 2 Getting Started Performance Pack R70 System Requirements .................................................... 20
Minimum System Requirements................................................................... 20Recommended System Options .................................................................... 21
Performance Pack Recommended Platform Configuration .................................... 22Preparing the Performance Pack R70 Machine ................................................... 23
BIOS Settings............................................................................................. 23Network Interface Cards location .................................................................. 23Installing Performance Pack ........................................................................ 23Upgrading Performance Pack ....................................................................... 24
Chapter 3 Command Line fwaccel ........................................................................................................... 28
fwaccel stats .............................................................................................. 29cpconfig ......................................................................................................... 32sim affinity...................................................................................................... 32proc entries..................................................................................................... 34
Chapter 4 Performance Tuning and Measurement Performance Tuning......................................................................................... 36
Amount of Concurrent Connections and Hash Size ......................................... 36SecureXL Templates ................................................................................... 37Delayed Notification.................................................................................... 37Connection Templates ................................................................................. 37Delayed Synchronization.............................................................................. 39Multi-Core Systems ..................................................................................... 39
Performance Measurement ............................................................................... 40TCP State and Benchmarking....................................................................... 40Non-accelerated traffic analysis.................................................................... 40Performance Troubleshooting ....................................................................... 40
6
7
Preface PPreface
In This Chapter
Who Should Use This Guide page 8
Summary of Contents page 9
Related Documentation page 10
More Information page 12
Feedback page 13
Who Should Use This Guide
8
Who Should Use This GuideThis guide is intended for administrators responsible for maintaining network security within an enterprise, including policy management and user support.
This guide assumes a basic understanding of:
• System administration
• The underlying operating system
• Internet protocols (IP, TCP, UDP etc.)
Summary of Contents
Preface 9
Summary of ContentsThis document describes how to install and configure Performance Pack. Additionally, it shows you how to get the best possible performance using Performance Pack..
Chapter Description
Chapter 1, “Introduction to Performance Pack”
Contains a general description of Performance Pack.
Chapter 2, “Getting Started” Describes system requirements, recommended platforms and how to prepare for the R70 Machine.
Chapter 3, “Command Line” Contains explanations of the Performance Pack commands.
Chapter 4, “Performance Tuning and Measurement”
Describes Performance Pack Tuning and Measurement.
Related Documentation
10
Related DocumentationThis release includes the following documentation.
TABLE P-1 Check Point Documentation
Title Description
Internet Security
Installation and Upgrade
Guide
Contains detailed installation instructions for Check Point network security products. Explains the available upgrade paths from versions R60 to the current version.
High-End Installation and
Upgrade Guide
Contains detailed installation instructions for the Provider-1 and VSX products, including hardware and software requirements and licensing requirements. Explains all upgrade paths for Check Point products specifically geared towards upgrading to the current version.
Security Management
Administration Guide
Explains Security Management solutions. This guide provides solutions for control over configuring, managing, and monitoring security deployments.
Firewall Administration
Guide
Describes how to control and secure network access and VoIP traffic; how to use integrated web security capabilities; and how to optimize Application Intelligence with capabilities such as Content Vectoring Protocol (CVP) applications, URL Filtering (UFP) applications.
IPS Administration Guide Describes how to use IPS to protect against attacks.
Virtual Private Networks
Administration Guide
Describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure.
Related Documentation
Preface 11
Eventia Reporter
Administration Guide
Explains how to monitor and audit traffic, and generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all events logged by Check Point Security Gateways, SecureClient and IPS.
SecurePlatform/
SecurePlatform Pro
Administration Guide
Explains how to install and configure SecurePlatform. This guide will also teach you how to manage your SecurePlatform machine and explains Dynamic Routing (Unicast and Multicast) protocols.
Provider-1/SiteManager-1
Administration Guide
Explains the Provider-1 security management solution. This guide provides details about a three-tier, multi-policy management architecture and a host of Network Operating Center oriented features that automate time-consuming repetitive tasks common in Network Operating Center environments.
TABLE P-1 Check Point Documentation (continued)
Title Description
More Information
12
More Information• For additional technical information about Check Point products, consult
Check Point’s SecureKnowledge at http://support.checkpoint.com.
• To view the latest version of this document in the Check Point User Center, go to: http://support.checkpoint.com.
Feedback
Preface 13
FeedbackCheck Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to:
Feedback
14
15
Chapter 1Introduction to Performance Pack
In This Chapter
Overview page 16
Release Notes page 17
Overview
16
OverviewPerformance Pack is supported on SecurePlatform. Performance Pack is a software acceleration product installed as an add-on to Check Point Security Gateway. Performance Pack significantly enhances and improves the performance of Security Gateway.
Performance Pack uses Check Point’s SecureXL technology and other innovative network acceleration techniques, to deliver wire-speed performance for Security Gateway. Moreover, it accelerates key security functions, thereby ensuring your organization the best security with the best performance available on an open platform.
Supported security functions include:
• Access control.
• Encryption.
• NAT.
• Accounting and logging.
• Connection/session rate.
• General security checks.
• IPS features.
• CIFs resources.
• ClusterXL High Availability and Load Sharing.
• TCP Sequence Verification.
• Dynamic VPN
• Anti Spoofing verifications
• Passive streaming
• Drop rate
Release Notes
Chapter 1 Introduction to Performance Pack 17
Release NotesThe latest Release Notes for Performance Pack can be found at:
http://support.checkpoint.com
Release Notes
18
19
Chapter 2Getting Started
In This Chapter
Performance Pack R70 System Requirements page 20
Performance Pack Recommended Platform Configuration page 22
Preparing the Performance Pack R70 Machine page 23
Performance Pack R70 System Requirements
20
Performance Pack R70 System Requirements
Performance Pack accelerates the performance of Security Gateway on:
• Hardware supported by SecurePlatform
Following are the minimum recommended requirements:
Minimum System RequirementsThe following are the minimum system requirements:
Table 2-1 Minimum System Requirements
Operating
Systems
SecurePlatform R70
CPU • See: Hardware Compatibility List for SecurePlatform R70
Disk Space 80 MB
Memory 4 GB
Network
Interfaces
Network Interfaces supported by Security Gateway:
• GEM Ethernet NIC
• 10/100 QuadEthernet NIC
• GigaSwift NIC
• Sun HME 10/100 Ethernet NIC
• BGE
Recommended System Options
Chapter 2 Getting Started 21
Recommended System OptionsThe following system options are recommended for optimal performance:
Table 2-2 Recommended system options
Operating
Systems
SecurePlatform R70
CPU Dual Intel Xeon or Dual SPARC 64 bit
Disk Space 400 MB
Memory 4 GB or more
Network
Interfaces
SecurePlatform R70: Intel Pro 1000 MF/MT
Bus Technology At least two 64bit/66Mhz PCI buses, ServerWorks or Intel E7500 Chipset
Performance Pack Recommended Platform Configuration
22
Performance Pack Recommended Platform Configuration
It is recommended you use Performance Pack on a platform configured with a Dual-Core Intel Xeon Processor 5160 (3.00 GHz, 333 MHz FSB, 2x2 MB L2 Cache), with 667 MHz RAM, or better configuration.
Examples of platforms with such configurations are:
• IBM System 3650
• HP Proliant DL-380 G5
• Dell PowerEdge 1950 or PowerEdge 2950
Please refer to the latest Performance Pack release notes for additional information on hardware support, limitations and recommendations.
Preparing the Performance Pack R70 Machine
Chapter 2 Getting Started 23
Preparing the Performance Pack R70 Machine
For optimal performance, appropriate configuration settings are recommended for the following:
• BIOS Settings
• Network Interface Cards
BIOS Settings• If your BIOS supports CPU clock setting, make sure that the BIOS is set to the
actual CPU speed.
• If you are running Performance Pack on a machine with Intel Xeon CPUs, it is recommended to disable Hyper-Threading.
Network Interface Cards location• If you are using a motherboard with multiple PCI or PCI-X buses, make sure
that each Network Interface Card is installed in a slot connected to a different bus.
• If you are using more than two Network Interface Cards in a system with only two 64bit/66Mhz PCI buses, make sure that the least-used cards are installed in slots connected to the same bus.
Installing Performance Pack
Installing During a New Security Gateway InstallationDuring the Check Point SecurePlatform installation process, select the following products from the list of products to install:
•Security Gateway
•Performance Pack
Note - Performance Pack is automatically disabled on PPTP and PPPoE interfaces.
Upgrading Performance Pack
24
Installing on an Already Installed Security Gateway1. Type sysconfig to enter the configuration menu.
2. Select Products Installation.
3. Follow the instructions until reaching the product selection screen.
4. Select Performance Pack.
5. Follow the instructions until finish.
6. Exit the configuration menu.
7. Reboot the gateway.
Installing on an Already Installed Security Gateway with HFA1. Type sysconfig to enter the configuration menu.
2. Select Products Installation.
3. Follow the instructions until reaching the product selection screen.
4. Select Performance Pack.
5. Follow the instructions until finish.
6. Select Products Configuration.
7. Disable Check Point SecureXL.
8. Exit the configuration menu.
9. Reboot the gateway.
10. Upgrade the Performance Pack using SmartUpdate or from command line. For more information, see “Upgrading Performance Pack” on page 24.
Upgrading Performance Pack
Upgrading via SmartUpdate (Recommended)1. Select SmartUpdate from Check Point SmartConsole.
2. From the Packages menu, select Add > From File….
3. Select the HFA package and wait until the uploading finished.
4. From the Package Repository, select the Performance Pack package and drag it to the appropriate gateway.
Upgrading Performance Pack
Chapter 2 Getting Started 25
5. Follow the instructions until finished.
Upgrading via the Command Line1. Change to the directory where the HFA file (.tgz) is located.
2. Type the following command to extract the HFA file:
tar –xzvf <HFA file>
3. Change to the CPppak directory.
4. Type the following command to extract the sim HFA file:
tar –xzvf <sim HFA file>
5. Run the sim hot fix.
Upgrading Performance Pack
26
27
Chapter 3Command Line
In This Chapter
fwaccel page 28
cpconfig page 32
sim affinity page 32
proc entries page 34
fwaccel
28
fwaccelThe fwaccel utility allows you to enable or disable acceleration dynamically while Security Gateway is running. The default setting is determined by the setting configured with cpconfig (see “cpconfig” on page 32). This setting reverts to the default after reboot.
Usagefwaccel [on|off|stat|stats|conns|templates]
Parameters
Table 3-1 fwaccel parameters
Parameter Explanation
on Start acceleration
off Stop acceleration
stat Display the acceleration device status and the status of the Connection Templates on the local Security Gateway.
stats Displays acceleration statistics.
stats -s Displays more summarized statistics.
stats -d Displays dropped packet statistics.
conns Displays all connections.
conns -s Displays the number of connections currently defined in the accelerator.
conns -m <max_entries> Limits the number of connections displayed by the conns command to the number entered in the variable max_entries.
templates Display all connection templates.
fwaccel stats
Chapter 3 Command Line 29
fwaccel statsThe fwaccel stats command provides performance statistics. These values can help you understand traffic behavior and help you to investigate performance issues.
templates -d Displays all drop templates; each template is assembled from four ranges indexes. In order to see mapping between range index and the range itself, use the command "sim ranges -a" (Output will be printed to /var/log/mssages)
templates -m max_entries Limits the number of templates displayed by the templates command to the number entered in the variable max_entries.
templates -s Displays the number of templates currently defined in the accelerator.
Table 3-1 fwaccel parameters
Parameter Explanation
Table 3-2 fwaccel stats Statistics
Statistic parameter Explanation
conns created Number of created connections
conns deleted Number of deleted connections
temporary conns Number of temporary connections
templates Number of templates currently handled
nat conns Number of NAT connections
accel packets Number of accelerated packets
accel bytes Number of accelerated traffic bytes
F2F packets Number of packets handled by the VPN kernel in slow-path
ESP enc pkts Number of ESP encrypted packets
ESP enc err Number of ESP encrypted errors
ESP dec pkts Number of ESP decrypted packets
ESP dec err Number of ESP decrypted errors
ESP other err Number of ESP other general errors
fwaccel stats
30
espudp enc pkts Not in use
espudp enc err Not in use
espudp dec pkts Not in use
espudp dec err Not in use
espudp other err Not in use
AH enc pkts Not in use
AH enc err Not in use
AH dec pkts Not in use
AH dec err Not in use
AH other err Not in use
memory used Not in use
free memory Not in use
acct update interval Accounting update interval in seconds
current total conns Number of connections currently handled
TCP violations Number of packets which are in violation of the TCP state
conns from templates Number of connections created from templates
TCP conns Number of TCP connections currently handled
delayed TCP conns Number of delayed TCP connections currently handled
non TCP conns Number of non TCP connections currently handled
delayed nonTCP conns Number of delayed non TCP connections currently handled
F2F conns Number of connections currently handled by the VPN kernel in slow-path
F2F bytes Number of traffic bytes handled by the VPN kernel in slow-path
Table 3-2 fwaccel stats Statistics
Statistic parameter Explanation
fwaccel stats
Chapter 3 Command Line 31
crypt conns Number of encrypted connections currently handled
enc bytes Number of encrypted traffic bytes
dec bytes Number of decrypted traffic bytes
partial conns Number of partial connections currently handled
anticipated conns Number of anticipated connections currently handled
dropped packets Number of dropped packets
dropped bytes Number of dropped traffic bytes
nat templates Not in use
port alloc templates Not in use
conns from nat tmpl Not in use
port alloc conns Not in use
port alloc f2f Not in use
PXL templates Number of PXL templates
PXL conns Number of PXL connections
PXL packets Number of PXL packets
PXL bytes Number of PXL traffic bytes
PXL async packets Number of PXL packets handled asynchronously
Table 3-2 fwaccel stats Statistics
Statistic parameter Explanation
cpconfig
32
cpconfigCheck Point products are configured using the cpconfig utility. When run, this utility displays a screen with the configuration options. The options that are displayed, depend on the installed configuration and product(s). You can use cpconfig to enable or disable Performance Pack. Once you have selected an acceleration setting, the setting remains configured, until you choose to change it on another occasion. In other words, the settings that you define will remain even after the machine is rebooted. For an alternative method to enable or disable acceleration, see “fwaccel” on page 28.
UsageExecute cpconfig by entering the following command:
cpconfig
An interactive menu will be displayed providing you with the option to enable or disable the acceleration by selecting Enable/Disable Check Point SecureXL. Select Enable in order to enable acceleration. Select Disable in order to disable acceleration.
sim affinityThe sim affinity utility controls various Performance Pack driver features and applies only for SecurePlatform.
Usagesim affinity [-a|-s|-l]
ParametersAffinity is a general term for binding Network Interface Card (NIC) interrupts to processors. By default, SecurePlatform does not set Affinity to the NIC interrupts, which means that each NIC is handled by all processors. Optimal network performance is obtained when each NIC is individually bound to a single processor. To achieve the above, the sim utility includes an Affinity feature, which has the following operation modes:
sim affinity
Chapter 3 Command Line 33
Table 3-3 sim Affinity operation modes
Option Explanation
-a Automatic Mode — the Affinity is determined automatically, by analyzing the load on each NIC. If the NICs are not loaded, the Affinity will not be set. This is the default Affinity operation mode, in which the Affinity is re-tuned every 60 seconds.
-s Manual Mode — allows you to manually specify the Affinity settings. For each interface, you will be asked to enter one of the following:• A space-separated list of the processor numbers that are to
handle this interface, or• The word all, to allow all processors to handle this interface.When setting the Affinity manually, the periodic automatic check will be disabled. After booting, it will remain disabled and the Affinity settings entered manually will be applied.
-l View a list of the current Affinity settings.
proc entries
34
proc entriesPerformance Pack supports SecurePlatform proc entries. These entries are used to display information about the Performance Pack.
The proc entries are read-only entries. They cannot be configured. The proc entries are located under /proc/ppk.
Usagecat /proc/ppk/[conf|ifs|statistics|drop statistics]
Parameters
Table 3-4 /proc Parameters
Parameter Explanation
conf Displays the Performance Pack Configuration.
ifs Lists the interfaces to which Performance Pack is attached.
statistics Displays general Performance Pack statistics.
drop statistics Displays Performance Pack dropped packet statistics.
35
Chapter 4Performance Tuning and Measurement
In This Chapter
Performance Tuning page 36
Performance Measurement page 40
Performance Tuning
36
Performance TuningIn This Section
Amount of Concurrent Connections and Hash Size
Setting the Maximal Concurrent ConnectionsTo set the desired number of maximal concurrent connections, open SmartDashboard’s Gateway Object Properties window and proceed as follows:
1. Open the Capacity Optimization tab. Make sure that Calculate connections hash table size and memory pool is set to Automatically.
2. Set the desired amount of concurrent connections in the Maximum Concurrent Connections field.
Increasing the Number of Concurrent ConnectionsYou can increase the actual number of concurrent connections by reducing the timeout of TCP and UDP sessions:
• TCP end timeout determines the amount of time a TCP connection will stay in the FireWall connection table after a TCP session has ended.
• UDP virtual session timeout determines the amount of time a UDP connection will stay in the FireWall connection table after the last UDP packet was seen by the gateway.
By reducing the above values, the capacity of actual TCP and UDP connections is increased.
Amount of Concurrent Connections and Hash Size page 36
SecureXL Templates page 37
Delayed Notification page 37
Connection Templates page 37
Delayed Synchronization page 39
Multi-Core Systems page 39
SecureXL Templates
Chapter 4 Performance Tuning and Measurement 37
SecureXL TemplatesVerify that templates are not disabled using the fwaccel stat command.
For further information regarding SecureXL Templates, see sk32578 at http://supportcontent.checkpoint.com/solutions?id=sk32578.
Delayed NotificationIn the ClusterXL configuration, the Delayed Notification feature is disabled by default. Enabling this feature improves performance (at the cost of connections' redundancy, which can be tuned using delayed notifications expiration timeout).
The fwaccel stats command indicates the number of delayed connections.
The fwaccel templates command indicates the delayed time for each template under the DLY entry.
Connection Templates
GeneralConnection templates are generated from active connections according to the policy rules. The connection template feature accelerates the speed at which a connection is established by matching a new connection to a set of attributes. When a new connection matches the template, connections are established without performing a rule match and therefore are accelerated. Connection templates are generated from active connections according to policy rules. Currently, connection template acceleration is performed only on connections with the same destination port.
Examples:
• A connection from 10.0.0.1/2000 to 11.0.0.1/80 — established through Firewall and then accelerated.
• A connection from 10.0.0.1/2001 to 11.0.0.1/80 — fully accelerated (including connection establishment).
• A connection from 10.0.0.1/8000 to 11.0.0.1/80 — fully accelerated (including connection establishment).
HTTP GET requests to specific server will be accelerated since the connection has the same source IP address.
Connection Templates
38
RestrictionsIn general, Connections Templates will be created only for plain UDP or TCP connections. The following restrictions apply for Connection Template generation:
Global restrictions:
• SYN Defender — Connection Templates for TCP connections will not be created.
• NAT connections.
• VPN connections.
• Complex connections (H323, FTP, SQL).
• NetQuotas.
• ISN Spoofing.
If the Rule Base contains a rule regarding one of the following component, the Connection Templates will be disabled for connections matching this rule, and for all of the following rules:
• Security Server connections.
• Services with source port range.
• Time objects in the rules.
• Dynamic Objects and/or Domain Objects.
• Services of type “other” with a match expression.
• User/Client/Session Authentication actions.
• Services of type RPC/DCERPC/DCOM.
When installing a policy containing restricted rules, you will receive console messages indicating that Connection Templates will not be created due to the rules that have been defined. The warnings should be used as a recommendation that will assist you to fine-tune your policy in order to optimize performance.
TestingTo verify that connection templates are enabled, use the fwaccel stat command. To verify that connection templates are generated, use fwaccel templates. This should be done while traffic is running, in order to obtain a list of currently defined templates.
Delayed Synchronization
Chapter 4 Performance Tuning and Measurement 39
Delayed SynchronizationThe synchronization mechanism guarantees High Availability. In a cluster configuration, if one cluster member fails, the other recognizes the connection failure and takes over, so the user does not experience any connectivity issue. However, there is an overhead per synchronized operation, which can occasionally cause a system slow-down when there are short sessions.
Delayed synchronization is a mechanism based upon the duration of the connection, with the duration itself used to determine whether or not to perform synchronization. A time range can be defined per service. The time range indicates that connections terminated before a specified expiration time will not be synchronized. As a result, synchronized traffic is reduced and overall performance increases. Delayed Synchronization is performed only for connections matching a connection template.
Currently, delayed synchronization is allowed only for services of type HTTP or None. In order to configure delayed synchronization, proceed as follows:
1. In SmartDashboard, right click on the Service tab.
2. Either edit an existing service or click New and select TCP. The TCP service properties window is shown.
3. After defining TCP parameters, click Advanced in the TCP service properties window. The Advanced TCP Service Properties window is shown.
4. Select the HTTP or None protocol from the Protocol Type list.
5. Check Start synchronizing.
6. Define the duration value Seconds after connection initiation. The duration value is specified in seconds.
Multi-Core SystemsRunning Performance Pack on multi-core systems may require more advanced configurations to account for core affinity and IRQ behavior. For more information, see sk33250 at http://supportcontent.checkpoint.com/solutions?id=sk33250.
Note - Delayed synchronization is disabled if the log or account are enabled.
Performance Measurement
40
Performance Measurement
TCP State and BenchmarkingCertain testing applications (SmartBits or Chariot) generate invalid TCP sequences. The Security Gateway’s TCP state check detects these faulty sequences, and drops the packets. As a result, the benchmark fails. Since these TCP sequences are invalid, they may affect overall Firewall performance.
To disable this type of TCP state check, perform the following operations in SmartDashboard:
1. In the IPS tab, select Protections > By Protocol > Network Security > TCP > Sequence Verifier.
2. Select the profile assigned to your gateway and click Edit.
3. In the Action field, select Inactive.
4. Click OK to close the Protections Settings window.
5. Click OK to close the Protections Details window.
6. Click Install Policy to apply the changes.
Non-accelerated traffic analysis Use the fwaccel stats command to verify the amount of non-accelerated traffic compared to accelerated traffic.
Use the sim dbg + f2f command to understand the possible reasons for the non-accelerated traffic.
Performance TroubleshootingAdditional CLI commands, such as ethtool, are available to monitor the performance of the gateway. For a list of these commands and explanation of their usage, see sk33781 at http://supportcontent.checkpoint.com/solutions?id=sk33781.
