topic Re: Firewall VM issue in Cloud Firewall

Firewall VM issue

Glenmark_Impex — Thu, 30 Mar 2023 09:58:23 GMT

Hi all experts.

Our question for experts experienced with deploying of Checkpoint firewall virtual instances.

We facing issue with deploying of Checkpoint R 80.40 virtual gateway.

Hypervisor - ESXi VMware 6.5.0

Server HW – HP Proliant DL360 Gen8

CPU HW- intel Xeon CPU E5-2670

Checkpoint installation iso file - Check_Point_R80.40_T294.iso

VM general settings

Guest OS RHEL7 64-bit

HDD – 100 GB

Memory – 12GB

Number of the CPU – 4

Number of the vNIC -10

Installation has been completed successfully. But vNIC’s sequence doesn’t match with Checkoint gateway interfaces. For example if we disconnect vNIC – 1 on Checkpoint gateway eth5 going down. This issue has been solved with sk69621. We have found correct sequence’s for ID PCI bus Instead renaming eth’s.

Next step – performance test.

Using iperf we have tested bandwidth. Data rate was unstable form 40 Mbits/s to 413 Mbits/s. In CPview the SND CPU has utilization up to 100%

We decide to move another one CPU to SND. Using cpconfig we have set two CPU for SND and reboot the VM.

Result:

Our question is what we are doing wrong?

Re: Firewall VM issue

Chris_Atkinson — Thu, 30 Mar 2023 11:56:22 GMT

Is there a JHF applied to this machine and can you share some specifics of the iperf test, were multiple parallel threads used or just a single flow?

Which interface driver/type is used for the VM?

Re: Firewall VM issue

Glenmark_Impex — Thu, 30 Mar 2023 12:12:45 GMT

Dear Chris

Iperf test string - iperf.exe -c 172.21.126.166 -p 443 -t 120

Clean installation with iso - Check_Point_R80.40_T294.iso no any additional JHF were installed.

vNIC driver - VMXNET3.

We would like to use this driver instead E1000. It was major reason for choosing guest OS RHEL7 but no Other Linux.

Re: Firewall VM issue

Chris_Atkinson — Thu, 30 Mar 2023 12:28:20 GMT

-P should help with parallel threads up to the limits of the test hosts CPU.

See an example here depending on the scale that you hope to achieve.

https://fasterdata.es.net/performance-testing/network-troubleshooting-tools/iperf/multi-stream-iperf3/

Deploying JHFs on top of the base image is recommended as best practice.

Note OVA images are available here for reference:

sk158292: CloudGuard Network for Private Cloud images

Re: Firewall VM issue

Chris_Atkinson — Thu, 30 Mar 2023 12:49:01 GMT

I can't make out the screenshot well, is the system no longer booting post the changes or something else?

Re: Firewall VM issue

Bob_Zimmerman — Thu, 30 Mar 2023 15:04:17 GMT

To be sure you're aware, the guest OS option in ESX is just for configuration presets. It doesn't actually do anything on an ongoing basis. You can change any vNIC to vmxnet3.

Agreed with @Chris_Atkinson that you should really install a jumbo. R80.40 jumbo 192 has 2225 fixes over the initial release of R80.40.

Re: Firewall VM issue

Glenmark_Impex — Thu, 30 Mar 2023 16:15:51 GMT

Yes, VM no longer bootable, but we have fresh install snapshot. No any changes for VM only cpconfig - CoreXL and VM has gone.

Re: Firewall VM issue

Glenmark_Impex — Thu, 30 Mar 2023 16:18:33 GMT

Will try OVA from SK. Will see.

Re: Firewall VM issue

PhoneBoy — Fri, 31 Mar 2023 03:55:26 GMT

Make sure you've tuned the configuration appropriately per: https://support.checkpoint.com/results/sk/sk169252
Also, you really should install the latest recommended JHF: https://sc1.checkpoint.com/documents/Jumbo_HFA/R80.40/R80.40/R80.40_Downloads.htm?tocpath=_____3

Re: Firewall VM issue

Glenmark_Impex — Tue, 11 Apr 2023 08:32:30 GMT

Dear Chris.

We have download tar archive with VMDK, OVF, CERT and MF files instead OVA.

https://supportcenter.checkpoint.com/supportcenter/portal/role/supportcenterUser/page/default.psml/media-type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=103389

Gateway installation has been completed successfully. We can change numbers of vCPUs via VM settings or change CoreXL parameters in cpconfig command without any issues.

Thank you for advices.