I had written the following in another article this morning Show me yours. This gave me the idea to start this article.
I do a lot of performance tuning for customers and copied a few passages from my training material.
1) This is a typical firewall with many blades on! Here the PXL path is used.
Blades: fw vpn cvpn av ips identityServer anti_bot ThreatEmulation mon
Cores: 16 (4xSND, 10xFWK, 2xfwd[Logging,...])
MultiQueue: on (4 Interface)
Interface: 4 x 10 GBit
Connections: approximately 500K, peek 700K
CPU: 50% over all cores
# fwaccelstats -s
Accelerated pkts/Total pkts : 1052964458/159849848978 (0%)
F2Fed pkts/Total pkts : 2764823456/159849848978 (1%)
PXL pkts/Total pkts : 156032061194/159849848978 (97%)
---
2) This is a typical firewall with many blades off! Here the acceleration path is used.
Blades: fw vpn
Cores: 16 (8xSND, 6xFWK, 2xfwd[Logging,...])
MultiQueue: on (4 Interface)
Interface: 4 x 10 GBit
Connections: approximately 500K, peek 700K
CPU: 30% over all cores
Accelerated pkts/Total pkts : 191956815617/194432772885 (98%)
F2Fed pkts/Total pkts : 3767408762/194432772885 (2%)
PXL pkts/Total pkts : 0/194432772885 (0%)
---
What else are tuning parameters for me?
- Interface cards 1G, 10G and 40GB > (MQ, Errors, interupt distribution, more or less SND's...)
- Blades + CoreXL > (more or less FW_Worker's, https inspection, deep inspection, PSL, CPAS, R77.30 VPN on FW_Worker_0 [R80.10 multicore VPN], CPU utilization,...)
- SecureXL > (NAT templates, Drop templates, Rule optimization for access tamplates,...)
- Connection Tabel > (many connections in TCP start state + timeout, UDP virtual session timeout
- ClusterXL > (sync or not sync from services,...)
- Logging > (optimize logging in the rules,more or less fwd cores for logging,...)
- IPS > (Signatures with high performance impact,...)
- VPN > (3DES or AES with NI [high-speed hardware encryption],...)
- SecureXL > (SAM card or Falcon card (R80.20 and above) inside,...)
- and and and
I can found 100 points more that can be optimized.
I think performance tuning is a very individual process for each firewall. Here you should first talk about what you want to accomplish on the firewall. Like I said, I'd like to hear your opinion on tuning.
Regards,
Heiko