Performance Pack

TM

Administration Guide Version R70

March 8, 2009

 2003-2009 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:
Please refer to http://www.checkpoint.com/copyright.html for a list of our trademarks For third party notices, see http://www.checkpoint.com/3rd_party_copyright.html.

Contents
Preface
Who Should Use This Guide................................................................................ 8 Summary of Contents ......................................................................................... 9 Related Documentation .................................................................................... 10 More Information ............................................................................................. 12 Feedback ........................................................................................................ 13

Chapter 1

Introduction to Performance Pack

Overview ......................................................................................................... 16 Release Notes ................................................................................................. 17

Chapter 2

Getting Started
Performance Pack R70 System Requirements .................................................... 20 Minimum System Requirements ................................................................... 20 Recommended System Options .................................................................... 21 Performance Pack Recommended Platform Configuration .................................... 22 Preparing the Performance Pack R70 Machine ................................................... 23 BIOS Settings............................................................................................. 23 Network Interface Cards location .................................................................. 23 Installing Performance Pack ........................................................................ 23 Upgrading Performance Pack ....................................................................... 24

Chapter 3

Command Line
fwaccel ........................................................................................................... 28 fwaccel stats .............................................................................................. 29 cpconfig ......................................................................................................... 32 sim affinity...................................................................................................... 32 proc entries..................................................................................................... 34

Chapter 4

Performance Tuning and Measurement

Performance Tuning......................................................................................... 36 Amount of Concurrent Connections and Hash Size ......................................... 36 SecureXL Templates ................................................................................... 37 Delayed Notification.................................................................................... 37 Connection Templates ................................................................................. 37 Delayed Synchronization.............................................................................. 39 Multi-Core Systems ..................................................................................... 39 Performance Measurement ............................................................................... 40 TCP State and Benchmarking....................................................................... 40 Non-accelerated traffic analysis.................................................................... 40 Performance Troubleshooting ....................................................................... 40

Table of Contents

Preface
Preface

P
page 8 page 9 page 10 page 12 page 13

In This Chapter
Who Should Use This Guide Summary of Contents Related Documentation More Information Feedback

Who Should Use This Guide

Who Should Use This Guide

This guide is intended for administrators responsible for maintaining network security within an enterprise, including policy management and user support. This guide assumes a basic understanding of: System administration The underlying operating system Internet protocols (IP, TCP, UDP etc.)

Summary of Contents

Summary of Contents
This document describes how to install and configure Performance Pack. Additionally, it shows you how to get the best possible performance using Performance Pack.. Chapter Chapter 1, Introduction to Performance Pack Chapter 2, Getting Started Description Contains a general description of Performance Pack. Describes system requirements, recommended platforms and how to prepare for the R70 Machine. Contains explanations of the Performance Pack commands. Describes Performance Pack Tuning and Measurement.

Chapter 3, Command Line Chapter 4, Performance Tuning and Measurement

Preface

Related Documentation

Related Documentation
This release includes the following documentation.
TABLE P-1 Check Point Documentation

Title Internet Security Installation and Upgrade Guide High-End Installation and Upgrade Guide

Description Contains detailed installation instructions for Check Point network security products. Explains the available upgrade paths from versions R60 to the current version. Contains detailed installation instructions for the Provider-1 and VSX products, including hardware and software requirements and licensing requirements. Explains all upgrade paths for Check Point products specifically geared towards upgrading to the current version. Explains Security Management solutions. This guide provides solutions for control over configuring, managing, and monitoring security deployments. Describes how to control and secure network access and VoIP traffic; how to use integrated web security capabilities; and how to optimize Application Intelligence with capabilities such as Content Vectoring Protocol (CVP) applications, URL Filtering (UFP) applications. Describes how to use IPS to protect against attacks. Describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure.

Security Management Administration Guide Firewall Administration Guide

IPS Administration Guide Virtual Private Networks Administration Guide

10

Related Documentation TABLE P-1 Check Point Documentation (continued)

Title Eventia Reporter Administration Guide

Description Explains how to monitor and audit traffic, and generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all events logged by Check Point Security Gateways, SecureClient and IPS. Explains how to install and configure SecurePlatform. This guide will also teach you how to manage your SecurePlatform machine and explains Dynamic Routing (Unicast and Multicast) protocols. Explains the Provider-1 security management solution. This guide provides details about a three-tier, multi-policy management architecture and a host of Network Operating Center oriented features that automate time-consuming repetitive tasks common in Network Operating Center environments.

SecurePlatform/ SecurePlatform Pro Administration Guide

Provider-1/SiteManager-1 Administration Guide

Preface

11

More Information

More Information
For additional technical information about Check Point products, consult Check Points SecureKnowledge at http://support.checkpoint.com. To view the latest version of this document in the Check Point User Center, go to: http://support.checkpoint.com.

12

Feedback

Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to: cp_techpub_feedback@checkpoint.com

Preface

13

Feedback

14

1 Chapter Introduction to Performance Pack

In This Chapter
Overview Release Notes page 16 page 17

15

Overview

Overview
Performance Pack is supported on SecurePlatform. Performance Pack is a software acceleration product installed as an add-on to Check Point Security Gateway. Performance Pack significantly enhances and improves the performance of Security Gateway. Performance Pack uses Check Points SecureXL technology and other innovative network acceleration techniques, to deliver wire-speed performance for Security Gateway. Moreover, it accelerates key security functions, thereby ensuring your organization the best security with the best performance available on an open platform. Supported security functions include: Access control. Encryption. NAT. Accounting and logging. Connection/session rate. General security checks. IPS features. CIFs resources. ClusterXL High Availability and Load Sharing. TCP Sequence Verification. Dynamic VPN Anti Spoofing verifications Passive streaming Drop rate

16

Release Notes

Release Notes
The latest Release Notes for Performance Pack can be found at: http://support.checkpoint.com

Chapter 1

Introduction to Performance Pack

17

Release Notes

18

Chapter Getting Started

In This Chapter
Performance Pack R70 System Requirements Performance Pack Recommended Platform Configuration Preparing the Performance Pack R70 Machine

2
page 20 page 22 page 23

19

Performance Pack R70 System Requirements

Performance Pack R70 System Requirements

Performance Pack accelerates the performance of Security Gateway on: Hardware supported by SecurePlatform Following are the minimum recommended requirements:

Minimum System Requirements

The following are the minimum system requirements:
Table 2-1 Minimum System Requirements

Operating Systems CPU Disk Space Memory Network Interfaces

SecurePlatform R70 See: Hardware Compatibility List for SecurePlatform R70

80 MB 4 GB Network Interfaces supported by Security Gateway: GEM Ethernet NIC 10/100 QuadEthernet NIC GigaSwift NIC Sun HME 10/100 Ethernet NIC BGE

20

Recommended System Options

Recommended System Options

The following system options are recommended for optimal performance:
Table 2-2 Recommended system options

Operating Systems CPU Disk Space Memory Network Interfaces Bus Technology

SecurePlatform R70 Dual Intel Xeon or Dual SPARC 64 bit 400 MB 4 GB or more SecurePlatform R70: Intel Pro 1000 MF/MT At least two 64bit/66Mhz PCI buses, ServerWorks or Intel E7500 Chipset

Chapter 2

Getting Started

21

Performance Pack Recommended Platform Configuration

Performance Pack Recommended Platform Configuration

It is recommended you use Performance Pack on a platform configured with a Dual-Core Intel Xeon Processor 5160 (3.00 GHz, 333 MHz FSB, 2x2 MB L2 Cache), with 667 MHz RAM, or better configuration. Examples of platforms with such configurations are: IBM System 3650 HP Proliant DL-380 G5 Dell PowerEdge 1950 or PowerEdge 2950

Please refer to the latest Performance Pack release notes for additional information on hardware support, limitations and recommendations.

22

Preparing the Performance Pack R70 Machine

Preparing the Performance Pack R70 Machine

For optimal performance, appropriate configuration settings are recommended for the following: BIOS Settings Network Interface Cards

BIOS Settings
If your BIOS supports CPU clock setting, make sure that the BIOS is set to the actual CPU speed. If you are running Performance Pack on a machine with Intel Xeon CPUs, it is recommended to disable Hyper-Threading.

Network Interface Cards location

If you are using a motherboard with multiple PCI or PCI-X buses, make sure that each Network Interface Card is installed in a slot connected to a different bus. If you are using more than two Network Interface Cards in a system with only two 64bit/66Mhz PCI buses, make sure that the least-used cards are installed in slots connected to the same bus.
Note - Performance Pack is automatically disabled on PPTP and PPPoE interfaces.

Installing Performance Pack

Installing During a New Security Gateway Installation
During the Check Point SecurePlatform installation process, select the following products from the list of products to install: Security Gateway Performance Pack

Chapter 2

Getting Started

23

Upgrading Performance Pack

Installing on an Already Installed Security Gateway

1. Type sysconfig to enter the configuration menu. 2. Select Products Installation. 3. Follow the instructions until reaching the product selection screen. 4. Select Performance Pack. 5. Follow the instructions until finish. 6. Exit the configuration menu. 7. Reboot the gateway.

Installing on an Already Installed Security Gateway with HFA

1. Type sysconfig to enter the configuration menu. 2. Select Products Installation. 3. Follow the instructions until reaching the product selection screen. 4. Select Performance Pack. 5. Follow the instructions until finish. 6. Select Products Configuration. 7. Disable Check Point SecureXL. 8. Exit the configuration menu. 9. Reboot the gateway. 10. Upgrade the Performance Pack using SmartUpdate or from command line. For more information, see Upgrading Performance Pack on page 24.

Upgrading Performance Pack

Upgrading via SmartUpdate (Recommended)
1. Select SmartUpdate from Check Point SmartConsole. 2. From the Packages menu, select Add > From File. 3. Select the HFA package and wait until the uploading finished. 4. From the Package Repository, select the Performance Pack package and drag it to the appropriate gateway.

24

Upgrading Performance Pack

5. Follow the instructions until finished.

Upgrading via the Command Line

1. Change to the directory where the HFA file (.tgz) is located. 2. Type the following command to extract the HFA file:

tar xzvf <HFA file>

3. Change to the CPppak directory. 4. Type the following command to extract the sim HFA file:

tar xzvf <sim HFA file>

5. Run the sim hot fix.

Chapter 2

Getting Started

25

Upgrading Performance Pack

26

Chapter Command Line

In This Chapter
fwaccel cpconfig sim affinity proc entries

3
page 28 page 32 page 32 page 34

27

fwaccel

fwaccel
The fwaccel utility allows you to enable or disable acceleration dynamically while Security Gateway is running. The default setting is determined by the setting configured with cpconfig (see cpconfig on page 32). This setting reverts to the default after reboot.

Usage
fwaccel [on|off|stat|stats|conns|templates]

Parameters
Table 3-1
fwaccel parameters

Parameter

Explanation Start acceleration Stop acceleration Display the acceleration device status and the status of the Connection Templates on the local Security Gateway. Displays acceleration statistics. Displays more summarized statistics. Displays dropped packet statistics. Displays all connections. Displays the number of connections currently defined in the accelerator. Limits the number of connections displayed by the conns command to the number entered in the variable max_entries. Display all connection templates.

on off stat

stats stats -s stats -d conns conns -s conns -m <max_entries>

templates

28

fwaccel stats

Table 3-1

fwaccel parameters

Parameter

Explanation Displays all drop templates; each template is assembled from four ranges indexes. In order to see mapping between range index and the range itself, use the command "sim ranges -a" (Output will be printed to /var/log/mssages)

templates -d

templates -m max_entries Limits the number of templates displayed by the templates command to the number entered in the variable max_entries. templates -s
Displays the number of templates currently defined in the accelerator.

fwaccel stats
The fwaccel stats command provides performance statistics. These values can help you understand traffic behavior and help you to investigate performance issues. Table 3-2

fwaccel stats Statistics

Explanation Number of created connections Number of deleted connections Number of temporary connections Number of templates currently handled Number of NAT connections Number of accelerated packets Number of accelerated traffic bytes Number of packets handled by the VPN kernel in slow-path Number of ESP encrypted packets Number of ESP encrypted errors Number of ESP decrypted packets Number of ESP decrypted errors Number of ESP other general errors

Statistic parameter conns created conns deleted temporary conns templates nat conns accel packets accel bytes F2F packets ESP enc pkts ESP enc err ESP dec pkts ESP dec err ESP other err

Chapter 3

Command Line

29

fwaccel stats

Table 3-2

fwaccel stats Statistics

Explanation Not in use Not in use Not in use Not in use Not in use Not in use Not in use Not in use Not in use Not in use Not in use Not in use Accounting update interval in seconds Number of connections currently handled Number of packets which are in violation of the TCP state Number of connections created from templates Number of TCP connections currently handled Number of delayed TCP connections currently handled Number of non TCP connections currently handled Number of delayed non TCP connections currently handled Number of connections currently handled by the VPN kernel in slow-path Number of traffic bytes handled by the VPN kernel in slow-path

Statistic parameter espudp enc pkts espudp enc err espudp dec pkts espudp dec err espudp other err AH enc pkts AH enc err AH dec pkts AH dec err AH other err memory used free memory acct update interval current total conns TCP violations conns from templates TCP conns delayed TCP conns non TCP conns delayed nonTCP conns F2F conns

F2F bytes

30

fwaccel stats

Table 3-2

fwaccel stats Statistics

Explanation Number of encrypted connections currently handled Number of encrypted traffic bytes Number of decrypted traffic bytes Number of partial connections currently handled Number of anticipated connections currently handled Number of dropped packets Number of dropped traffic bytes Not in use Not in use Not in use Not in use Not in use Number of PXL templates Number of PXL connections Number of PXL packets Number of PXL traffic bytes Number of PXL packets handled asynchronously

Statistic parameter crypt conns enc bytes dec bytes partial conns anticipated conns dropped packets dropped bytes nat templates port alloc templates conns from nat tmpl port alloc conns port alloc f2f PXL templates PXL conns PXL packets PXL bytes PXL async packets

Chapter 3

Command Line

31

cpconfig

cpconfig
Check Point products are configured using the cpconfig utility. When run, this utility displays a screen with the configuration options. The options that are displayed, depend on the installed configuration and product(s). You can use cpconfig to enable or disable Performance Pack. Once you have selected an acceleration setting, the setting remains configured, until you choose to change it on another occasion. In other words, the settings that you define will remain even after the machine is rebooted. For an alternative method to enable or disable acceleration, see fwaccel on page 28.

Usage
Execute cpconfig by entering the following command:

cpconfig
An interactive menu will be displayed providing you with the option to enable or disable the acceleration by selecting Enable/Disable Check Point SecureXL. Select Enable in order to enable acceleration. Select Disable in order to disable acceleration.

sim affinity
The sim affinity utility controls various Performance Pack driver features and applies only for SecurePlatform.

Usage
sim affinity [-a|-s|-l]

Parameters
Affinity is a general term for binding Network Interface Card (NIC) interrupts to processors. By default, SecurePlatform does not set Affinity to the NIC interrupts, which means that each NIC is handled by all processors. Optimal network performance is obtained when each NIC is individually bound to a single processor. To achieve the above, the sim utility includes an Affinity feature, which has the following operation modes:

32

sim affinity

Table 3-3

sim Affinity operation modes

Option

Explanation Automatic Mode the Affinity is determined automatically, by analyzing the load on each NIC. If the NICs are not loaded, the Affinity will not be set. This is the default Affinity operation mode, in which the Affinity is re-tuned every 60 seconds. Manual Mode allows you to manually specify the Affinity settings. For each interface, you will be asked to enter one of the following: A space-separated list of the processor numbers that are to handle this interface, or The word all, to allow all processors to handle this interface. When setting the Affinity manually, the periodic automatic check will be disabled. After booting, it will remain disabled and the Affinity settings entered manually will be applied. View a list of the current Affinity settings.

-a

-s

-l

Chapter 3

Command Line

33

proc entries

proc entries
Performance Pack supports SecurePlatform proc entries. These entries are used to display information about the Performance Pack. The proc entries are read-only entries. They cannot be configured. The proc entries are located under /proc/ppk.

Usage
cat /proc/ppk/[conf|ifs|statistics|drop statistics]

Parameters
Table 3-4
/proc Parameters

Parameter

Explanation Displays the Performance Pack Configuration. Lists the interfaces to which Performance Pack is attached. Displays general Performance Pack statistics. Displays Performance Pack dropped packet statistics.

conf ifs statistics drop statistics

34

Chapter Performance Tuning and Measurement

In This Chapter
Performance Tuning Performance Measurement

page 36 page 40

35

Performance Tuning

Performance Tuning
In This Section
Amount of Concurrent Connections and Hash Size SecureXL Templates Delayed Notification Connection Templates Delayed Synchronization Multi-Core Systems page 36 page 37 page 37 page 37 page 39 page 39

Amount of Concurrent Connections and Hash Size

Setting the Maximal Concurrent Connections
To set the desired number of maximal concurrent connections, open SmartDashboards Gateway Object Properties window and proceed as follows: 1. Open the Capacity Optimization tab. Make sure that Calculate connections hash table size and memory pool is set to Automatically. 2. Set the desired amount of concurrent connections in the Maximum Concurrent Connections field.

Increasing the Number of Concurrent Connections

You can increase the actual number of concurrent connections by reducing the timeout of TCP and UDP sessions: TCP end timeout determines the amount of time a TCP connection will stay in the FireWall connection table after a TCP session has ended. UDP virtual session timeout determines the amount of time a UDP connection will stay in the FireWall connection table after the last UDP packet was seen by the gateway.

By reducing the above values, the capacity of actual TCP and UDP connections is increased.

36

SecureXL Templates

SecureXL Templates
Verify that templates are not disabled using the fwaccel stat command. For further information regarding SecureXL Templates, see sk32578 at http://supportcontent.checkpoint.com/solutions?id=sk32578.

Delayed Notification
In the ClusterXL configuration, the Delayed Notification feature is disabled by default. Enabling this feature improves performance (at the cost of connections' redundancy, which can be tuned using delayed notifications expiration timeout). The fwaccel stats command indicates the number of delayed connections. The fwaccel templates command indicates the delayed time for each template under the DLY entry.

Connection Templates
General
Connection templates are generated from active connections according to the policy rules. The connection template feature accelerates the speed at which a connection is established by matching a new connection to a set of attributes. When a new connection matches the template, connections are established without performing a rule match and therefore are accelerated. Connection templates are generated from active connections according to policy rules. Currently, connection template acceleration is performed only on connections with the same destination port. Examples: A connection from 10.0.0.1/2000 to 11.0.0.1/80 established through Firewall and then accelerated. A connection from 10.0.0.1/2001 to 11.0.0.1/80 fully accelerated (including connection establishment). A connection from 10.0.0.1/8000 to 11.0.0.1/80 fully accelerated (including connection establishment).

HTTP GET requests to specific server will be accelerated since the connection has the same source IP address.

Chapter 4

Performance Tuning and Measurement

37

Connection Templates

Restrictions
In general, Connections Templates will be created only for plain UDP or TCP connections. The following restrictions apply for Connection Template generation: Global restrictions: SYN Defender Connection Templates for TCP connections will not be created. NAT connections. VPN connections. Complex connections (H323, FTP, SQL). NetQuotas. ISN Spoofing.

If the Rule Base contains a rule regarding one of the following component, the Connection Templates will be disabled for connections matching this rule, and for all of the following rules: Security Server connections. Services with source port range. Time objects in the rules. Dynamic Objects and/or Domain Objects. Services of type other with a match expression. User/Client/Session Authentication actions. Services of type RPC/DCERPC/DCOM.

When installing a policy containing restricted rules, you will receive console messages indicating that Connection Templates will not be created due to the rules that have been defined. The warnings should be used as a recommendation that will assist you to fine-tune your policy in order to optimize performance.

Testing
To verify that connection templates are enabled, use the fwaccel stat command. To verify that connection templates are generated, use fwaccel templates. This should be done while traffic is running, in order to obtain a list of currently defined templates.

38

Delayed Synchronization

Delayed Synchronization
The synchronization mechanism guarantees High Availability. In a cluster configuration, if one cluster member fails, the other recognizes the connection failure and takes over, so the user does not experience any connectivity issue. However, there is an overhead per synchronized operation, which can occasionally cause a system slow-down when there are short sessions. Delayed synchronization is a mechanism based upon the duration of the connection, with the duration itself used to determine whether or not to perform synchronization. A time range can be defined per service. The time range indicates that connections terminated before a specified expiration time will not be synchronized. As a result, synchronized traffic is reduced and overall performance increases. Delayed Synchronization is performed only for connections matching a connection template. Note - Delayed synchronization is disabled if the log or account are enabled.

Currently, delayed synchronization is allowed only for services of type HTTP or None. In order to configure delayed synchronization, proceed as follows: 1. In SmartDashboard, right click on the Service tab. 2. Either edit an existing service or click New and select TCP. The TCP service properties window is shown. 3. After defining TCP parameters, click Advanced in the TCP service properties window. The Advanced TCP Service Properties window is shown. 4. Select the HTTP or None protocol from the Protocol Type list. 5. Check Start synchronizing. 6. Define the duration value Seconds after connection initiation. The duration value is specified in seconds.

Multi-Core Systems
Running Performance Pack on multi-core systems may require more advanced configurations to account for core affinity and IRQ behavior. For more information, see sk33250 at http://supportcontent.checkpoint.com/solutions?id=sk33250.

Chapter 4

Performance Tuning and Measurement

39

Performance Measurement

Performance Measurement
TCP State and Benchmarking
Certain testing applications (SmartBits or Chariot) generate invalid TCP sequences. The Security Gateways TCP state check detects these faulty sequences, and drops the packets. As a result, the benchmark fails. Since these TCP sequences are invalid, they may affect overall Firewall performance. To disable this type of TCP state check, perform the following operations in SmartDashboard: 1. In the IPS tab, select Protections > By Protocol > Network Security > TCP > Sequence Verifier. 2. Select the profile assigned to your gateway and click Edit. 3. In the Action field, select Inactive. 4. Click OK to close the Protections Settings window. 5. Click OK to close the Protections Details window. 6. Click Install Policy to apply the changes.

Non-accelerated traffic analysis

Use the fwaccel stats command to verify the amount of non-accelerated traffic compared to accelerated traffic. Use the sim dbg + f2f command to understand the possible reasons for the non-accelerated traffic.

Performance Troubleshooting
Additional CLI commands, such as ethtool, are available to monitor the performance of the gateway. For a list of these commands and explanation of their usage, see sk33781 at http://supportcontent.checkpoint.com/solutions?id=sk33781.

40