This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
katsarasd
Contributor
15 hours ago

Check Point Firewalls Connection Table

Hello Everyone,

Our Infrastructure consists of External & Internal firewalls in Cluster HA Availability mode. Check Point Firewalls are Virtual Machines deployed on Vmware Esxi Hosts. 

Firewalls have assigned resources of:

  • 4 vCPUs
  • 16 GB RAM
  • NICs are VMXNET 3

Recently, while performing zdebug on internal firewalls we've noticed 98-100% connection table utilization. TAC advised us to change the capacity optimization setting from 2500 to automatic. After the change we've noticed that the cpu utilization on the active gateway now is around 35%. 

My question is if this is going to create any issue on the internal firewalls in the future ? i.e resource exhaustion ? kernel corruption ? it would be advisable to increase the vCPU on the affected gateways ?

Thanks in Advance

 

0 Kudos
5 Replies
Don_Paterson
MVP Gold
MVP Gold
15 hours ago

It should not but there is not enough information to give a firm answer/s.

Performance question answers are not always straight forward and as much information as possible should be collected and used to investigate.

 

Automatic has been the default for new installations for many versions now.

The more connections that are handled by the gateway the more memory used - to record the connection details in the connections table (and NAT and other tables).

CPU is consumed by the firewall software enforcing the policy. Rule matching.

SecureXL can offload the CPUs significantly if a lot of traffic is handled on the fast path, but traffic handled by blades like IPS, App. Control and Content Awareness will take more CPU.

HTTPS Inspection will also require more CPU resources.

 

fwaccel stats -s

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_PerformanceTuning_AdminGuide/Conte...


What version/s are you running?

What was the CPU utilization before?

Do you plan to have more traffic load in the future?

Any more blades to be added in the future? E.G. IPS or other Threat Prevention blades.

 

You can use various commands to monitor the usage or RAM and CPU, including cpview, fw ctl pstat,  

I still like the old command:  fw tab -t connections -s

 

Also:

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_CLI_ReferenceGuide/Content/Topics-... 

 

Just for guidance and initial learning:

Snippet from  https://support.checkpoint.com/results/sk/sk39555

 

Connections Table and Memory Pool

Note - These settings exist only in SmartDashboard R77.30 and lower.

To control connections table size and kernel memory from SmartDashboard, select one of these options in the section "Calculate connections hash table size and memory pool":

  • Automatically (default and recommended) - Automatically calculates all values for this Security Gateway / Cluster / VSX Virtual System. The administrator does not need to change them. The derived settings are typically high maximum memory pool and low initial memory pool size values.

  • Manually - Table size, Hash size, and HMEM size are set manually. It is not recommended to change this setting to a high value, because the more memory you allocate, the larger the impact on Security Gateway performance.

 

Connections Hash Table Size

Note - This setting exists only in SmartDashboard R77.30 and lower.

Connections hash table size - Size of the hash table in bytes (default = 131072). This value must be an integer that is an exponential power of two and approximately four times the value of the "Maximum concurrent connection".

Example: If the connection limit is set to 50000, the hash table size should be 216=65536.

  • A larger hash size has a good effect on performance.
  • An effective hash table size should be approximately four times the number of average concurrent connections.
    In most cases, the maximum operational limit of a 4 MB hash table size can support a maximum of one million connections.

When you use the "Automatic" setting, the connections hash table size, memory pool size, and maximum memory pool size values change in these ranges:

Concurrent connections limit Hash size (bytes) Mem. Pool (MB) Max. Mem. Pool (MB)
0-21000 65536 6-8 24-33
22000-43000 131072 8-17 35-68
44000-87000 262144 17-34 70-139
88000-174000 524288 35-69 140-278
175000-349000 1048576 70-139 280-559
350000-699000 2097152 140-279 560-1119
700000-1398000 4194304 280-559 1121-2047

Example: For a maximum concurrent connections limit of 725000, automatic calculations result in these values:

  • Connections hash table size: 4194304
  • Memory pool size: 290 MB
  • Maximum memory pool size: 1161 MB

Note: Automatic settings do not account for the physical memory available on the Security Gateway / Cluster Members. The examples in the above section show a high maximum limit and low memory pool size.

0 Kudos
Don_Paterson
MVP Gold
MVP Gold
14 hours ago

I should also mention the hcp -r all command, just to get the Health Check Point tests run and see current health status.

That may help to get a view of what's happening in there and then also have a benchmark.

After running hcp you should be able to connect to the gateway and view the report in a html page:

https://<gateway-ip>:<port-if-needed>/hcp

 

0 Kudos
katsarasd
Contributor
14 hours ago
In response to Don_Paterson

Hello @Don_Paterson ,

Thanks for the valuable info.

According to what you asked:

What version/s are you running?--> 81.20 take 120

What was the CPU utilization before?--> it as around 4-5 %

Do you plan to have more traffic load in the future? We expect more groth

Any more blades to be added in the future? E.G. IPS or other Threat Prevention blades.--> IPS, Anti-Bot, Anti-Virus are enabled

Also i've run the hcp -r all command on the firewall and the results seem fine.

Regards

0 Kudos
Don_Paterson
MVP Gold
MVP Gold
13 hours ago
In response to katsarasd

You are welcome.

The CPU utilization numbers would need some supporting information like number of connections and connections/second at the same point in time.

5% normally indicates a gateway that is idling and handling very little or no traffic at the point in time when the CPU resource utilisation is measured.

It is also important to monitor the active gateway in the cluster and not the standby, and to understand the differences in the numbers taken from each of them.

 

This document can give you an idea of the possible maximum throughput capabilities of an R81.20 gateway with 4 CPU cores and different combinations of blades.

https://www.checkpoint.com/downloads/products/cloudguard-gateway-performance-for-vmware-esxi-datashe...

 

You should talk to presales.

If you need more CPUs to handle more traffic in the future then more CPU licenses would be needed unless they are already purchased and in the vSEC license pool.

They can also advise on performance and future planning.

 

You can learn about performance monitoring from various sources (example below) but it may be quicker to talk to presales or professional services.

 

https://community.checkpoint.com/t5/Scripts/S7PAC-Super-Seven-Performance-Assessment-Commands/m-p/40...

 

Preview file
122 KB
Preview file
237 KB
Preview file
119 KB
Preview file
133 KB
Preview file
101 KB
0 Kudos
the_rock
MVP Diamond
MVP Diamond
13 hours ago

TAC is 100% correct and here is why I would suggest the same. Main reason is because when its set to automatic, gateway would technically calculate needed memory/cpu usage based on consumption, rather than when its set to manual.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events