Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jun_Liang_Seow
Contributor

Installation speed and verification on installation

Hi,

This is something I notice when I was doing installation on the firewall. As I would like to push changes more regularly, I embarked on doing various speed test and found the results for a policy of size 10000 rules and 15000 objects.

Policy Verification: 2 minutes

Policy Installation (single gateway): 4 minutes

I have been trying to find a way to reduce the overall time taken and after some searching, I realize a few things. 

1) Policy verification takes place in Policy installation.

2) Policy installation compiles and sends entire package to gateway instead of the delta changes

Just wondering if it is possible to reduce both timings. Also, if it is possible to do policy installation without verification if the management gateway detects that no new publishes happened after the last verification.

Also, just playing with the thought if the verification can be sped up by looking at delta changes and doing verifications only on those changes (this will likely speed verification process up a lot)

JL

0 Kudos
4 Replies
Timothy_Hall
Champion
Champion

If you are using an R77.30 or earlier SMS, policy operations are single-threaded so there isn't much you can do beyond making sure the SMS has plenty of RAM and is not dipping into swap space (free -m).  You can also try to reduce the size of your policies and/or delete unused objects.  Also watch out for big groups of objects in manual NAT rules as these can expand out into a truly staggering number of individual NAT rules during policy verify/compilation.  I also seem to recall issues with the hit count table getting too large and slowing down the SmartDashboard, may be worth looking into depending on your SMS version.

In R80+ Management more cores and/or more RAM can definitely have a positive effect on the SMS.  Delta policy installations (only sending changes) were mentioned at some point but are not implemented yet.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Jun_Liang_Seow
Contributor

Hi Tim,

Thanks for the explanation. We have increased the number of cores and RAMs and I'm trying to look for an even faster method. Smiley Happy Our CPU and Memory usage are thus far healthy even at 10k rules - just finding out if it can be even faster.

Regards,

Jun Liang

0 Kudos
PhoneBoy
Admin
Admin

The one improvement we made in R80.10 was the policy verification process, which for 10k rules, was substantially slower than it is now.

We are planning additional improvements in later releases, including pushing policy deltas. 

0 Kudos
Chris_Butler
Collaborator

Hi PhoneBoy!

I carried a legacy policy forward from our old 77.30 SMS to our current Smart-1 410 when we upgraded our SMS and our Gateway.

Our SMS is now running R80.30 and our gateway is running R80.20.

Policy installation is still slow, presumably because of the way the legacy policy is structured, yes?

Is there anything I can do to edit or change the current policy piecemeal to optimize it so it will install more quickly?

Or would I have to throw the baby out with the bathwater and start from scratch?

Thanks.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events