Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vladimir
Champion
Champion

Should HTTPS inspection be accounted for in the appliance sizing charts?

So the new appliance sizing chart is out and it supposed to reflect a better enterprise traffic mix than those used in the past and HTTPS inspection is not mentioned there.

I really would like to think that it is accounted for and simply omitted, but am really skeptical about it.

Please vote for or against inclusion of the HTTPS inspection in the spec sheet and comment on the subject.

Yes32
No1
0 Kudos
10 Replies
_Val_
Admin
Admin

Just wanted to note that with the Sizing tool, Check Point is already ahead of the competition in terms of transparency of the real world performance figures. 

Adding HTTPS to the picture is a bit tricky, cause quantifying metrics should be based on some common practices, and there are just a few at this time.

0 Kudos
Vladimir
Champion
Champion

I would prefer to see both: the common practice, to compare with the competition and the real sizing, with HTTPS CIFS, SMB, etc..

Right now, we are left to guess what the performance will be once these inspections are enabled and may either over or under size the appliances.

Having Check Point's figures would be a lot better.

0 Kudos
Benjamin_Lamber
Participant

I recently went through the sales process and I agree that having the HTTPS inspection numbers published would have been very helpful. However, their other performance statistics were essential to making an informed decision especially when comparing to other vendors.

That being said, to get those extra answers about sizing I heavily utilized their sales team which helped tighten up on the model I needed.

0 Kudos
Timothy_Hall
Legend Legend
Legend

In my book I gave a very general recommendation to basically double the sizing of an appliance if HTTPS Inspection will be deployed, and this has been spot-on in the real world.  However keep in mind that suggestion was based on R80.10 and R77.30 gateway, and there have been some optimizations regarding HTTPS Inspection in R80.20 gateway; I'm still working out just how much of an improvement. Buying a firewall appliance possessing a processor architecture that supports AES-NI (5600+) and SMT/Hyperthreading (5800+) will certainly help if you plan to use HTTPS Inspection extensively, as will making sure Gaia is running in 64-bit mode.

The upcoming Falcon cards will of course be a major game changer in this area and are expected to be supported all the way down to the 5100 appliance.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Vladimir
Champion
Champion

Tim, can you elaborate if the x2 you are referring to is applicable to the 5600+ appliances or the smaller units?

I would imagine that this number would differ significantly between smaller units and those capable of AES-NI.

Additionally, I recall having a conversation while in CP HQ, in which I have stated that nothing with less than 4 cores should really be recommended in post R80.20 world.

Do you, perchance, recall in what context I could've come up with it?

0 Kudos
Timothy_Hall
Legend Legend
Legend

Hi Vladimir,

AES-NI will certainly help, at least with websites utilizing that in their active cipher suite.  The x2 is a rough recommendation; frankly I wouldn't be comfortable doing HTTPS Inspection on a 5400 or smaller box at all unless Internet bandwidth was less than 50Mbps and ended up being the primary performance constraint.  Unless the <5400 box has a Falcon accelerator card in it course.  🙂  I doubt the HTTPS Inspection optimizations in R80.20 will help much on a 2-core firewall.

The context of that "less than 4 cores" conversation concerned the fact that if CoreXL is enabled and a firewall has 2 cores, both of them will try to serve "double duty" by acting both as a SND/IRQ core and a Firewall Worker core.  This is much less efficient than having each core dedicated to only one function and defeats many of the gains provided by CPU fast caching, as the CPU caches thrash back and forth between the two functions.  In some cases disabling CoreXL completely on a 2-core firewall can actually improve the situation, as one core is dedicated to SND/IRQ functions and the other one is the solitary Firewall Worker.  No easy way to know for sure ahead of time if disabling CoreXL on a 2-core firewall will help or hurt, just have to try it...

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Vladimir
Champion
Champion

Thank you!

I was going nuts trying to pin-down the reasoning for that conviction but could not recall the particulars.

Going to CC Valeri Loukine‌ as I've mentioned it to him but he could not recall this discussion.

Your reply is extremely timely: am in a process of recommending appliances for potential client and this was the sticking point.

Cheers,

Vladimir

0 Kudos
Vladimir
Champion
Champion

Tim,

Did you ever get to test the disabling CoreXL on a 2-core firewall to determine if it helps with performance improvements or doesn't?

 

0 Kudos
Timothy_Hall
Legend Legend
Legend

As mentioned in my book disabling CoreXL on a 2-core firewall might help and it might not, depends mainly on the distribution of traffic in the various paths.

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Vladimir
Champion
Champion

I am still reading it, but jumping from chapter to chapter as I go Smiley Happy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events