This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_Fischler
Contributor
Contributor
‎2023-06-20 01:55 AM

Test bandwidth/speed from Gaia VSX

I'm trying to test the transfer rate between two firewalls (to test the infrastructure in between). Unfortunately both firewalls are VSX and the 10G interfaces are all attached to the VS1.

In VS0 I would copy a big file to see the speed between the boxes but how do I do that (the speedtest) between the VS1? I cannot make scp directly to a VS 1 using the interface of the VS1.

Or am I wrong and there is a possibility?

best regards

daniel

 

 

CCSM-E | CCVS
0 Kudos
4 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-06-20 04:33 AM

Using the Gateway as the source or destination for such tests isn't generally optimal, nor desirable from a SecureXL perspective (Refer sk32578).

CCSM R77/R80/ELITE
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2023-06-20 07:47 AM

Note that scp is really bad for network link performance testing. Its performance is limited mostly by the cryptographic performance of a single CPU core, so you are extremely unlikely to ever get even 1 gigabit of throughput from it.

What version of VSX are you running?

Are these firewalls in production, or is this performance testing before declaring them ready for production use?

 

If your firewalls are production, only do this in an outage window for the whole VSX cluster.

If you are running R80.40 or newer, your version of VSX is based on network namespaces, which is a pretty well-understood Linux feature. You can get a statically-linked version of iperf and use standard Linux tools (specifically, ip netns(8)) to run it in a particular namespace. First get a list of the namespace names using 'ip netns list' like this:

[Expert@SomeVsxCluster:0]# ip netns list
CTX00000 (id: 0)
CTX00002 (id: 2)
CTX00003 (id: 3)
CTX00004 (id: 4)
...

Then you use 'ip netns exec <namespace name> <command>' to execute <command> in the specified namespace.

0 Kudos
Daniel_Fischler
Contributor
Contributor
‎2023-06-20 08:10 AM
In response to Bob_Zimmerman

This is VSX R81.10 and unfortunately this is already in production. I made a short connection test by just downloading a file using curl_cli and I agree: performance is really limited. 

Thanks for the information about the namespace feature and especially for the warning 8)

We will forget this idea and will use additional devices to generate traffic through the firewall.

CCSM-E | CCVS
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2023-06-20 08:46 AM
In response to Daniel_Fischler

Ultimately, the recommendation for a whole-cluster outage window is because load testing is often disruptive. After all, you're trying to get the system to work as hard as it can to find the weakest point. Even if the cluster itself isn't sourcing or sinking the traffic, there's a risk that it is the weakest point. No matter how many VSs you have, VSX is a single OS running a single kernel, single filesystem, and so on. If you stress test to failure, there's a chance the whole box fails, taking all of its contexts with it.

Using iperf on the cluster members directly to test performance without involving systems behind the cluster is only marginally more risk.

As for the curl_cli test, unless you were running it to /dev/null, that is bounded by storage I/O performance. If you're using Check Point branded servers, the storage is probably spinning disks. It's likely to be sequential writes, but there are a million situations which can lead to I/O contention, which would definitely bottleneck downloads via cURL.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events