topic Re: Check Point 4200 Overload in General Topics

Check Point 4200 Overload

Di_Junior — Mon, 18 Dec 2017 09:35:36 GMT

Hi Check Mates, I need your help with regards to one of my clients.

My client uses a 4200 appliance, and currently they are experiencing some problems with regards to traffic being slow.

The client has between 500 - 1000 users, their appliance has many policies and sometimes the appliance is overloaded.

They also have another 4200 appliance on a different site which is not in use, and they want to find a way on how they can balance traffic between these too appliance (I guess they need a cluster working in Load Balancing).

I would like to get your advice on how the problem can be approached.

Will the clustering solutions solve the problem? taking into account the number of users?

Must they upgrade their appliance?

Note: I am new to check point products, just starting my career

Thanks in advance.

Re: Check Point 4200 Overload

Bernhard_Fuchs — Mon, 18 Dec 2017 11:36:21 GMT

Hello,

I would at least check some at the policy.

There is a hit count on the left side of each rule. Take Rules with alot of hits and move them up in the policy.

Also IP-Ranges like 192.168.168.10-192.168.168.100 will have performance impact.

Also check, if the IPS is running, look for the signatures with critical impact and turn them off, if you can.

Best Regards,

Bernhard

Re: Check Point 4200 Overload

Di_Junior — Mon, 18 Dec 2017 12:50:17 GMT

Thanks for your help.
Would you kindly explain why that IP-range have performance impact?

Re: Check Point 4200 Overload

Timothy_Hall — Mon, 18 Dec 2017 12:58:05 GMT

Load sharing should not be employed to help underpowered firewalls perform acceptably. The 4200 only has two cores and sounds a bit underpowered for what it is being asked to do. However there may be some tuning possible to improve performance, please provide the output from the following commands run on the firewall, ideally when it is running slowly if possible:

fwaccel stat
fwaccel stats -s
fw ctl affinity -l -r
sim affinity -l
netstat -ni
fw ctl multik stat

fw ctl multik get_mode
cpstat os -f multi_cpu -o 1
free -m
enabled_blades
installed_jumbo_take
cpinfo -y
fw ver

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Re: Check Point 4200 Overload

Di_Junior — Mon, 18 Dec 2017 13:22:28 GMT

Hi Tim, thanks for your help. Unfortunatelly I do not have access to the system right now. I will organize with the client in order to get the output from those commands. Thank you

Re: Check Point 4200 Overload

Bernhard_Fuchs1 — Mon, 18 Dec 2017 13:53:39 GMT

Every object that has a IP-Range set.

Re: Check Point 4200 Overload

Di_Junior — Mon, 18 Dec 2017 14:06:57 GMT

HI Again Tim, one point that I forgot to mention is that the client is running a standalone platform (Single appliance acting as the SMS and SG). I will get the output from the commands above, and show it as requested but will remove any information that can identify the client.

Re: Check Point 4200 Overload

Timothy_Hall — Mon, 18 Dec 2017 14:14:34 GMT

Thanks for the update, the 4200 only has 4GB of RAM (and I don't believe that can be "officially" upgraded) so it is likely the box is low on free RAM especially because it is standalone, but we will see.

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Re: Check Point 4200 Overload

Gaurav_Pandya — Mon, 18 Dec 2017 14:55:33 GMT

Hi,

It is right what Tim has suggested as most of this type of issue is because of Memory, CPU, High number of connections. I will also suggest below commands.

top (no cpu usage)
free -m (no swap or I/O slowdowns)
vmstat (verifying no si/so/wa)
fw tab -t connections -s (no limits reached since reboot)

Re: Check Point 4200 Overload

Kaspars_Zibarts — Mon, 18 Dec 2017 22:08:23 GMT

Adding to Tim and Gaurav:

fw ctl pstat

Re: Check Point 4200 Overload

Di_Junior — Tue, 19 Dec 2017 06:22:23 GMT

Hi Tim, while I am still waiting for the output of the commands above, would you kindly elaborate on what you have stated above: "Load sharing should not be employed to help underpowered firewalls perform acceptably".
Thanks in advance

Re: Check Point 4200 Overload

Kaspars_Zibarts — Tue, 19 Dec 2017 09:15:53 GMT

It won't resolve your problems long term. You could technically use it as a "quick fix" but there are other methods you could deploy for "quick fix" depending on the actual cause for this intermittent slowness. You really need to find the root cause before yo can speculate the best solution Could be something trivial as acceleration stopped by some silly rule high up in the rulebase or some old bug chewing RAM..

Re: Check Point 4200 Overload

Timothy_Hall — Tue, 19 Dec 2017 14:25:05 GMT

Sure Di, here is an excerpt from a new chapter focusing on ClusterXL HA in my book's second edition. Please be aware this is my personal opinion and I don't expect everyone to necessarily agree:

Can migrating to a Load Sharing model increase overall firewall performance? Yes. Is it worth the additional complexity and troubleshooting murkiness? For most sites in the real world the answer is a resounding NO. “But wait aren’t two heads better than one?” you ask. Your manager might also ask: “Why should our very expensive standby firewall just sit there and do nothing?”
(snip)
Based on the overall tone of the prior section, you probably have a sneaking suspicion that I am not a fan of Load Sharing. You would be correct. This isn’t a specific beef with Check Point’s implementation of Load Sharing; I also dislike active/active implementations on all other firewall vendors’ products as well. Generally speaking, the complexity imposed by Load Sharing is not usually worth it in my opinion. From a design perspective if you still intend to push forward with a Load Sharing configuration, you are going to need at least 3 firewalls. If only two firewalls are used with Load Sharing and one of them fails, the remaining firewall may very well not be able to handle 100% of the load by itself and will buckle in quite noticeable ways. So you’ll need a bigger firewall to address that possible contingency. But if you already have a bigger firewall, why not just do active/standby HA and save yourself the trouble of Load Sharing in the first place? Load Sharing should not be employed for the sole purpose of allowing underpowered firewalls to perform acceptably.

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon