This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
BenjaminXu
Employee Alumnus
Employee Alumnus
‎2023-03-25 09:52 AM
Jump to solution

how many percentage of performance degradations

if enable VSX on security gateway or Maestro architecture, how many percentage of performance degradations?

0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2023-03-25 10:47 AM
In response to HeikoAnkenbrand
Jump to solution


Small addendum:

For example, if you have 20 VS, there are 20 instances of this fwk0_dev_x process.

A calculation sample for the utilization of VS process fwk0_dev_X:

                                  max_CoreXL_number     max_CoreXL_number
fwkX_dev_0   =        ∑ fwkX_0                         + ∑ fwkX_dev_0 +                     fwk0_kissd +                 fwk0_hp
                                  x=0                                      x=0

- fwk0_X -> fw instance thread that takes care for the packet processing
- fwk0_dev_X -> the thread that takes care for communication between fw instances and other CP daemons
- fwk0_kissd -> legacy Kernel Infrastructure (obsolete)
- fwk0_hp -> (high priority) cluster thread

More read here:
- R8x - Performance Tuning Tip – User Mode Firewall vs. Kernel Mode Firewall  

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

0 Kudos
7 Replies
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2023-03-25 10:29 AM
Jump to solution

It depends on which blades you activate in the vs. You can't really make a general statement.

For the VS own VSX processes I see in practice about 1%-3% pervormance loss per instance.

If you use a large applinace, e.g. a 26000, this should not be a problem.

If you use a large applinace, e.g. a 26000, this should not be a problem.

For example, with 48 cores (48*100% = 4800% CPU performance) and 20 VS (2%*20 VS = 40% CPU performance) you lose 40% of 4800%. Is normally no problem.

It is similar with Maestro.


➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2023-03-25 10:47 AM
In response to HeikoAnkenbrand
Jump to solution


Small addendum:

For example, if you have 20 VS, there are 20 instances of this fwk0_dev_x process.

A calculation sample for the utilization of VS process fwk0_dev_X:

                                  max_CoreXL_number     max_CoreXL_number
fwkX_dev_0   =        ∑ fwkX_0                         + ∑ fwkX_dev_0 +                     fwk0_kissd +                 fwk0_hp
                                  x=0                                      x=0

- fwk0_X -> fw instance thread that takes care for the packet processing
- fwk0_dev_X -> the thread that takes care for communication between fw instances and other CP daemons
- fwk0_kissd -> legacy Kernel Infrastructure (obsolete)
- fwk0_hp -> (high priority) cluster thread

More read here:
- R8x - Performance Tuning Tip – User Mode Firewall vs. Kernel Mode Firewall  

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-03-25 12:25 PM
Jump to solution

Link @HeikoAnkenbrand sent is 100% your best reference. Not sure if you guys have anything better over there internally, but this is pretty good.

Cheers,

Andy

Best,
Andy
0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-03-25 03:54 PM
Jump to solution

As a guide ~12% overhead for VSX itself then the rest is very much configuration & version dependent.

CCSM R77/R80/ELITE
0 Kudos
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2023-03-26 01:50 AM
In response to Chris_Atkinson
Jump to solution

This is a VSX environment in the LAB with 2 VS instances and without blades enabled. At the moment, no traffic is going through the VS instancen.

I think each VS uses about 2% CPU performance when idle.
VSX_1_543543543.jpg

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
(1)
the_rock
MVP Platinum
MVP Platinum
‎2023-03-26 06:18 PM
In response to HeikoAnkenbrand
Jump to solution

I actually spun up VSX in the lab today and saw pretty much the same thing. I gave it 32 GB of ram and also 2 VSs and shows 4% utilization. Not sure if yours was R81.20, but thats what I created.

Best,
Andy
0 Kudos
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2023-03-26 10:32 PM
In response to the_rock
Jump to solution

I used R81.20 for the test.

With
-> R80.40 approx. 4%
-> R81.10 approx. 3%
per VS instance.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events