cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Installation speed and verification on installation

Hi,

This is something I notice when I was doing installation on the firewall. As I would like to push changes more regularly, I embarked on doing various speed test and found the results for a policy of size 10000 rules and 15000 objects.

Policy Verification: 2 minutes

Policy Installation (single gateway): 4 minutes

I have been trying to find a way to reduce the overall time taken and after some searching, I realize a few things. 

1) Policy verification takes place in Policy installation.

2) Policy installation compiles and sends entire package to gateway instead of the delta changes

Just wondering if it is possible to reduce both timings. Also, if it is possible to do policy installation without verification if the management gateway detects that no new publishes happened after the last verification.

Also, just playing with the thought if the verification can be sped up by looking at delta changes and doing verifications only on those changes (this will likely speed verification process up a lot)

JL

Tags (3)
0 Kudos
3 Replies

Re: Installation speed and verification on installation

If you are using an R77.30 or earlier SMS, policy operations are single-threaded so there isn't much you can do beyond making sure the SMS has plenty of RAM and is not dipping into swap space (free -m).  You can also try to reduce the size of your policies and/or delete unused objects.  Also watch out for big groups of objects in manual NAT rules as these can expand out into a truly staggering number of individual NAT rules during policy verify/compilation.  I also seem to recall issues with the hit count table getting too large and slowing down the SmartDashboard, may be worth looking into depending on your SMS version.

In R80+ Management more cores and/or more RAM can definitely have a positive effect on the SMS.  Delta policy installations (only sending changes) were mentioned at some point but are not implemented yet.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
Highlighted

Re: Installation speed and verification on installation

Hi Tim,

Thanks for the explanation. We have increased the number of cores and RAMs and I'm trying to look for an even faster method. Smiley Happy Our CPU and Memory usage are thus far healthy even at 10k rules - just finding out if it can be even faster.

Regards,

Jun Liang

0 Kudos
Admin
Admin

Re: Installation speed and verification on installation

The one improvement we made in R80.10 was the policy verification process, which for 10k rules, was substantially slower than it is now.

We are planning additional improvements in later releases, including pushing policy deltas. 

0 Kudos