Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Di_Junior
Advisor
Advisor

Check Point 4200 Overload

Hi  Check Mates, I need your help with regards to one of my clients.

My client uses a 4200 appliance, and currently they are experiencing some problems with regards to traffic being slow.

The client has between 500 - 1000 users, their appliance has many policies and sometimes the appliance is overloaded.

They also have another 4200 appliance on a different site which is not in use, and they want to find a way on how they can balance traffic between these too appliance (I guess they need a cluster working in Load Balancing).

I would like to get your advice on how the problem can be approached. 

Will the clustering solutions solve the problem? taking into account the number of users?

Must they upgrade their appliance? 

Note: I am new to check point products, just starting my career

Thanks in advance.

0 Kudos
12 Replies
Bernhard_Fuchs
Explorer

Hello,

I would at least check some at the policy.

There is a hit count on the left side of each rule. Take Rules with alot of hits and move them up in the policy.

Also IP-Ranges like 192.168.168.10-192.168.168.100 will have performance impact.

Also check, if the IPS is running, look for the signatures with critical impact and turn them off, if you can.

Best Regards,

Bernhard

0 Kudos
Di_Junior
Advisor
Advisor

Thanks for your help.
Would you kindly explain why that IP-range have performance impact?

0 Kudos
Bernhard_Fuchs1
Explorer

Every object that has a IP-Range set.

0 Kudos
Timothy_Hall
Legend Legend
Legend

Load sharing should not be employed to help underpowered firewalls perform acceptably.  The 4200 only has two cores and sounds a bit underpowered for what it is being asked to do.  However there may be some tuning possible to improve performance, please provide the output from the following commands run on the firewall, ideally when it is running slowly if possible:

fwaccel stat
fwaccel stats -s
fw ctl affinity -l -r
sim affinity -l
netstat -ni
fw ctl multik stat

fw ctl multik get_mode
cpstat os -f multi_cpu -o 1
free -m
enabled_blades
installed_jumbo_take
cpinfo -y
fw ver

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Di_Junior
Advisor
Advisor

Hi Tim, thanks for your help. Unfortunatelly I do not have access to the system right now. I will organize with the client in order to get the output from those commands. Thank you

0 Kudos
Di_Junior
Advisor
Advisor

HI Again Tim, one point that I forgot to mention is that the client is running a standalone platform (Single appliance acting as the SMS and SG). I will get the output from the commands above, and show it as requested but will remove any information that can identify the client.

0 Kudos
Timothy_Hall
Legend Legend
Legend

Thanks for the update, the 4200 only has 4GB of RAM (and I don't believe that can be "officially" upgraded) so it is likely the box is low on free RAM especially because it is standalone, but we will see.

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Di_Junior
Advisor
Advisor

Hi Tim, while I am still waiting for the output of the commands above, would you kindly elaborate on what you have stated above: "Load sharing should not be employed to help underpowered firewalls perform acceptably". 
Thanks in advance

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

It won't resolve your problems long term. You could technically use it as a "quick fix" but there are other methods you could deploy for "quick fix" depending on the actual cause for this intermittent slowness. You really need to find the root cause before yo can speculate the best solution Smiley Happy Could be something trivial as acceleration stopped by some silly rule high up in the rulebase or some old bug chewing RAM..

Timothy_Hall
Legend Legend
Legend

Sure Di, here is an excerpt from a new chapter focusing on ClusterXL HA in my book's second edition.  Please be aware this is my personal opinion and I don't expect everyone to necessarily agree:

   Can migrating to a Load Sharing model increase overall firewall performance? Yes. Is it worth the additional complexity and troubleshooting murkiness? For most sites in the real world the answer is a resounding NO. “But wait aren’t two heads better than one?” you ask. Your manager might also ask: “Why should our very expensive standby firewall just sit there and do nothing?”

(snip)

   Based on the overall tone of the prior section, you probably have a sneaking suspicion that I am not a fan of Load Sharing. You would be correct. This isn’t a specific beef with Check Point’s implementation of Load Sharing; I also dislike active/active implementations on all other firewall vendors’ products as well. Generally speaking, the complexity imposed by Load Sharing is not usually worth it in my opinion. From a design perspective if you still intend to push forward with a Load Sharing configuration, you are going to need at least 3 firewalls. If only two firewalls are used with Load Sharing and one of them fails, the remaining firewall may very well not be able to handle 100% of the load by itself and will buckle in quite noticeable ways. So you’ll need a bigger firewall to address that possible contingency. But if you already have a bigger firewall, why not just do active/standby HA and save yourself the trouble of Load Sharing in the first place? Load Sharing should not be employed for the sole purpose of allowing underpowered firewalls to perform acceptably.

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Gaurav_Pandya
Advisor

Hi,

It is right what Tim has suggested as most of this type of issue is because of Memory, CPU, High number of connections. I will also suggest below commands.

top (no cpu usage)
free -m (no swap or I/O slowdowns)
vmstat (verifying no si/so/wa)
fw tab -t connections -s (no limits reached since reboot)

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

Adding to Tim and Gaurav:

fw ctl pstat

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events