Performance Optimization of Security Management Server installed on VMware ESX Virtual Machine

Document created by Sung-Lun Yang Employee on Sep 15, 2018
Version 1Show Document
  • View in full screen mode

Hello all,

 

Distributed Deployment 分散式部署模式是Check Point最建議的部署架構。

 

而在管理主機的部份,很多客戶會選擇軟體式 (Open Server, Hypervisor)的安裝方式,

如何在VM環境中讓SMS有最好的效能表現,以下我條列出幾個重點,詳細的說明請參考技術文件「sk104848」:

===========================================================================================================================

Disk

Always use Thick provisioning (thick/lazy is acceptable), never Thin-provision disk resources.

Memory

Allocate at least 6 GB of memory to the Virtual Machine. For Virtual Machines running Multi-Domain Security Management Server, plan to allocate 6 GB for the base installation plus 2 GB for each additional Domain. Consider reserving 50% of the memory allocated and consider increasing the Virtual Machine's resource shares allocation.

 

vCPUs

In multi-CPU (SMP) guests, the guest operating system can migrate processes from one vCPU to another. This migration can incur a small CPU overhead. If the migration is very frequent, it might be helpful to pin guest threads or processes to specific vCPUs. Allocate only the number of vCPUs as is necessary. In most Security Management Server (single-domain) implementations, use no more than two (2x) CPUs. For heavily-subscribed environments, consider reserving at least 30% of the CPU frequency and consider increasing the CM's resource shares allocation.

 

Virtual Network Adapter

The default virtual network adapter emulated in a Virtual Machine is either an AMD PCnet32 device (vlance / "Flexible"), or an Intel E1000 device (E1000). Never utilize the "Flexible" NIC driver in SecurePlatform OS / Gaia OS, as it has been shown to carry a significant performance penalty. In most cases, Check Point recommends the Intel E1000 device be utilized. When configuring the guest Virtual Machine as noted above, this is the default NIC emulation.

VMware also offers the VMXNET family of paravirtualized network adapters. The VMXNET family contains VMXNET, Enhanced VMXNET (available since ESX/ESXi 3.5), and VMXNET Generation 3 (VMXNET3; available since ESX/ESXi 4.0). The latest releases of the Gaia OS include the VMXNET drivers integrated, but R&D recommends against using these drivers except in cases where Check Point Security Gateway VE R77.10 or newer is used.

In some cases, low receive throughput in a Virtual Machine can be caused by insufficient receive buffers in the receiver network device. If the receive ring in the guest operating system's network driver overflows, packets will be dropped in the VMkernel, degrading network throughput. A possible workaround is to increase the number of receive buffers, though this might increase the host physical CPU workload. For VMXNET3 and E1000, the default number of receive and transmit buffers are controlled by the guest driver, with the maximum possible for both being 4096.

Attachments

    Outcomes