This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jun_Liang_Seow
Contributor
‎2017-11-16 08:05 AM

Installation speed and verification on installation

Hi,

This is something I notice when I was doing installation on the firewall. As I would like to push changes more regularly, I embarked on doing various speed test and found the results for a policy of size 10000 rules and 15000 objects.

Policy Verification: 2 minutes

Policy Installation (single gateway): 4 minutes

I have been trying to find a way to reduce the overall time taken and after some searching, I realize a few things. 

1) Policy verification takes place in Policy installation.

2) Policy installation compiles and sends entire package to gateway instead of the delta changes

Just wondering if it is possible to reduce both timings. Also, if it is possible to do policy installation without verification if the management gateway detects that no new publishes happened after the last verification.

Also, just playing with the thought if the verification can be sped up by looking at delta changes and doing verifications only on those changes (this will likely speed verification process up a lot)

JL

0 Kudos
4 Replies
Timothy_Hall
Legend Legend
Legend
‎2017-11-16 09:55 AM

If you are using an R77.30 or earlier SMS, policy operations are single-threaded so there isn't much you can do beyond making sure the SMS has plenty of RAM and is not dipping into swap space (free -m).  You can also try to reduce the size of your policies and/or delete unused objects.  Also watch out for big groups of objects in manual NAT rules as these can expand out into a truly staggering number of individual NAT rules during policy verify/compilation.  I also seem to recall issues with the hit count table getting too large and slowing down the SmartDashboard, may be worth looking into depending on your SMS version.

In R80+ Management more cores and/or more RAM can definitely have a positive effect on the SMS.  Delta policy installations (only sending changes) were mentioned at some point but are not implemented yet.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos
Jun_Liang_Seow
Contributor
‎2017-11-19 10:28 PM

Hi Tim,

Thanks for the explanation. We have increased the number of cores and RAMs and I'm trying to look for an even faster method. Smiley Happy Our CPU and Memory usage are thus far healthy even at 10k rules - just finding out if it can be even faster.

Regards,

Jun Liang

0 Kudos
PhoneBoy
Admin
Admin
‎2017-11-20 04:29 PM

The one improvement we made in R80.10 was the policy verification process, which for 10k rules, was substantially slower than it is now.

We are planning additional improvements in later releases, including pushing policy deltas. 

0 Kudos
Chris_Butler
Collaborator
‎2020-01-14 11:12 AM
In response to PhoneBoy

Hi PhoneBoy!

I carried a legacy policy forward from our old 77.30 SMS to our current Smart-1 410 when we upgraded our SMS and our Gateway.

Our SMS is now running R80.30 and our gateway is running R80.20.

Policy installation is still slow, presumably because of the way the legacy policy is structured, yes?

Is there anything I can do to edit or change the current policy piecemeal to optimize it so it will install more quickly?

Or would I have to throw the baby out with the bathwater and start from scratch?

Thanks.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top