This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Glenmark_Impex
Contributor
‎2023-03-30 02:58 AM
Jump to solution

Firewall VM issue

Hi all experts.

Our question for experts experienced with deploying of Checkpoint firewall virtual instances.

We facing issue with deploying of Checkpoint R 80.40 virtual gateway.

Hypervisor -  ESXi VMware 6.5.0

Server HW – HP Proliant DL360 Gen8

CPU HW- intel Xeon CPU E5-2670

Checkpoint installation iso file - Check_Point_R80.40_T294.iso

VM general settings

Guest OS RHEL7 64-bit

HDD – 100 GB

Memory – 12GB

Number of the CPU – 4

Number of the vNIC -10

 

Installation has been completed successfully. But vNIC’s sequence doesn’t match with Checkoint gateway interfaces. For example if we disconnect vNIC – 1 on Checkpoint gateway eth5 going down. This issue has been solved with sk69621. We have found correct sequence’s for ID PCI bus Instead renaming eth’s.

Next step – performance test.

Using iperf we have tested bandwidth. Data rate was unstable form 40 Mbits/s to 413 Mbits/s. In CPview the SND CPU has utilization up to 100%

We decide to move another one CPU to SND. Using cpconfig we have set two CPU for SND and reboot the VM.

Result:

Glenmark_Impex_0-1680169993606.png

 

Our question is what we are doing wrong?

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-03-30 05:23 AM
In response to Glenmark_Impex
Jump to solution

-P  should help with parallel threads up to the limits of the test hosts CPU.

See an example here depending on the scale that you hope to achieve.

https://fasterdata.es.net/performance-testing/network-troubleshooting-tools/iperf/multi-stream-iperf...

Deploying JHFs on top of the base image is recommended as best practice.

Note OVA images are available here for reference:

sk158292: CloudGuard Network for Private Cloud images

CCSM R77/R80/ELITE

View solution in original post

0 Kudos
9 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-03-30 04:54 AM
Jump to solution

Is there a JHF applied to this machine and can you share some specifics of the iperf test, were multiple parallel threads used or just a single flow?

Which interface driver/type is used for the VM?

CCSM R77/R80/ELITE
0 Kudos
Glenmark_Impex
Contributor
‎2023-03-30 05:12 AM
In response to Chris_Atkinson
Jump to solution

Dear Chris

Iperf test string -  iperf.exe -c 172.21.126.166 -p 443 -t 120

Clean installation with iso - Check_Point_R80.40_T294.iso no any additional JHF were installed.

vNIC driver - VMXNET3.

We would like to use this driver instead E1000. It was major reason for choosing guest OS RHEL7 but no Other Linux.

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-03-30 05:23 AM
In response to Glenmark_Impex
Jump to solution

-P  should help with parallel threads up to the limits of the test hosts CPU.

See an example here depending on the scale that you hope to achieve.

https://fasterdata.es.net/performance-testing/network-troubleshooting-tools/iperf/multi-stream-iperf...

Deploying JHFs on top of the base image is recommended as best practice.

Note OVA images are available here for reference:

sk158292: CloudGuard Network for Private Cloud images

CCSM R77/R80/ELITE
0 Kudos
Glenmark_Impex
Contributor
‎2023-03-30 09:18 AM
In response to Chris_Atkinson
Jump to solution

Will try OVA from SK. Will see.

0 Kudos
Glenmark_Impex
Contributor
‎2023-04-11 01:32 AM
In response to Chris_Atkinson
Jump to solution

Dear Chris.

We have download tar archive with VMDK, OVF, CERT and MF files instead OVA.

https://supportcenter.checkpoint.com/supportcenter/portal/role/supportcenterUser/page/default.psml/m...

Gateway installation has been completed successfully. We can change numbers of vCPUs via VM settings or change CoreXL parameters  in cpconfig command without any issues. 

Thank you for advices.

Bob_Zimmerman
MVP Gold
MVP Gold
‎2023-03-30 08:04 AM
In response to Glenmark_Impex
Jump to solution

To be sure you're aware, the guest OS option in ESX is just for configuration presets. It doesn't actually do anything on an ongoing basis. You can change any vNIC to vmxnet3.

Agreed with @Chris_Atkinson that you should really install a jumbo. R80.40 jumbo 192 has 2225 fixes over the initial release of R80.40.

Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-03-30 05:49 AM
Jump to solution

I can't make out the screenshot well, is the system no longer booting post the changes or something else?

CCSM R77/R80/ELITE
0 Kudos
Glenmark_Impex
Contributor
‎2023-03-30 09:15 AM
In response to Chris_Atkinson
Jump to solution

Yes, VM no longer bootable, but we have fresh install snapshot. No any changes for VM only cpconfig - CoreXL and VM has gone.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-30 08:55 PM
Jump to solution

Make sure you've tuned the configuration appropriately per: https://support.checkpoint.com/results/sk/sk169252 
Also, you really should install the latest recommended JHF: https://sc1.checkpoint.com/documents/Jumbo_HFA/R80.40/R80.40/R80.40_Downloads.htm?tocpath=_____3 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events