topic Re: Test bandwidth/speed from Gaia VSX in Firewall and Security Management

Test bandwidth/speed from Gaia VSX

Daniel_Fischler — Tue, 20 Jun 2023 08:55:26 GMT

I'm trying to test the transfer rate between two firewalls (to test the infrastructure in between). Unfortunately both firewalls are VSX and the 10G interfaces are all attached to the VS1.

In VS0 I would copy a big file to see the speed between the boxes but how do I do that (the speedtest) between the VS1? I cannot make scp directly to a VS 1 using the interface of the VS1.

Or am I wrong and there is a possibility?

best regards

daniel

Re: Test bandwidth/speed from Gaia VSX

Chris_Atkinson — Tue, 20 Jun 2023 11:33:05 GMT

Using the Gateway as the source or destination for such tests isn't generally optimal, nor desirable from a SecureXL perspective (Refer sk32578).

Re: Test bandwidth/speed from Gaia VSX

Bob_Zimmerman — Tue, 20 Jun 2023 14:47:30 GMT

Note that scp is really bad for network link performance testing. Its performance is limited mostly by the cryptographic performance of a single CPU core, so you are extremely unlikely to ever get even 1 gigabit of throughput from it.

What version of VSX are you running?

Are these firewalls in production, or is this performance testing before declaring them ready for production use?

If your firewalls are production, only do this in an outage window for the whole VSX cluster.

If you are running R80.40 or newer, your version of VSX is based on network namespaces, which is a pretty well-understood Linux feature. You can get a statically-linked version of iperf and use standard Linux tools (specifically, ip netns(8)) to run it in a particular namespace. First get a list of the namespace names using 'ip netns list' like this:

[Expert@SomeVsxCluster:0]# ip netns list CTX00000 (id: 0) CTX00002 (id: 2) CTX00003 (id: 3) CTX00004 (id: 4) ...

Then you use 'ip netns exec <namespace name> <command>' to execute <command> in the specified namespace.

Re: Test bandwidth/speed from Gaia VSX

Daniel_Fischler — Tue, 20 Jun 2023 15:10:04 GMT

This is VSX R81.10 and unfortunately this is already in production. I made a short connection test by just downloading a file using curl_cli and I agree: performance is really limited.

Thanks for the information about the namespace feature and especially for the warning 8)

We will forget this idea and will use additional devices to generate traffic through the firewall.

Re: Test bandwidth/speed from Gaia VSX

Bob_Zimmerman — Tue, 20 Jun 2023 15:46:40 GMT

Ultimately, the recommendation for a whole-cluster outage window is because load testing is often disruptive. After all, you're trying to get the system to work as hard as it can to find the weakest point. Even if the cluster itself isn't sourcing or sinking the traffic, there's a risk that it is the weakest point. No matter how many VSs you have, VSX is a single OS running a single kernel, single filesystem, and so on. If you stress test to failure, there's a chance the whole box fails, taking all of its contexts with it.

Using iperf on the cluster members directly to test performance without involving systems behind the cluster is only marginally more risk.

As for the curl_cli test, unless you were running it to /dev/null, that is bounded by storage I/O performance. If you're using Check Point branded servers, the storage is probably spinning disks. It's likely to be sequential writes, but there are a million situations which can lead to I/O contention, which would definitely bottleneck downloads via cURL.