Here are the recommendations that we would make to increase the performance on your IP560’s.
Enable SecureXL, to do this
1. SSH into the firewall
2. Run the command cpconfig
3. There will be an option to Enable Check Point SecureXL, enable it
SmartDefense settings that will impact SecureXL:
· SYN Attack Configuration – Disables Templates
· Network Quota – Disables Templates
· ISN Spoofing – Disable Acceleration.
· Spoofed Reset protection – Forwards RST packets to the Firewall
· Sequence Verifier – Make sure to turn on “Sequence Validation” in “Advanced System Tuning” page in Voyager.
· TTL Check – Disable Acceleration
· IP ID Check – Disable Acceleration
· Application Intelligence Check:
o POP3/IMAP Security – Disables Acceleration
o Mail Server Security – Disable Acceleration
o FTP Security Server – Disable Acceleration
o Microsoft Networks – File and Print sharing – Disables Acceleration
o Block NULL CIFS sessions – Disable Acceleration
o Block Popup Messages – Disable Acceleration for Microsoft networks
o Block ASN.1 – Disables Acceleration for relevant protocols
o Block WINS Replication attack – Disables Acceleration for MS WINS traffic
o Block WINS Name Violation – Disables Acceleration for WINS traffic
o Peer-to-Peer: Disables Templates
o Instant M’essanger: Disables Template
o DNS Protection – Disables DNS Acceleration -TCP/UDP
o VoIP – Not Accelerated.
o SNMP Checks – Disables SNMP traffic Acceleration
o SUN-RPC Program Lookup – Disable Acceleration for SUN-RPC Traffic only
o VPN Protocols:
o PPTP Enforcement – Disables Acceleration of PPTP traffic
o SSL enforcement – Disables Acceleration of SSL traffic
o Block IKE Aggressive Exchange – Disables IKE Acceleration for client to server direction only
o IKE enforcement – Disables IKE Acceleration for client to server direction only
o SSH – Detect SSH over non-standard port – Disables Templates on ALL traffic
o SSH enforcement – Disables Acceleration for ssh traffic
o Content Protection:
o Malformed JPEG – Disables Acceleration for all HTTP
o Malformed ANI files – Disables Acceleration for all HTTP
o MS-RPC – Disable Acceleration for RPC traffic
o MS-SQL – Disable Acceleration for MS-SQL traffic
o Routing Protocols Check: Disable Acceleration for these protocols only (RIP,BGP,OSPF,IGMP)
o Application Layer: Web Intelligence :
o HTTP Header Spoofing Check – Disables Acceleration on all HTTP traffic
o Directory Listing – Disables Acceleration on all HTTP traffic
o Error Concealment – Disables Acceleration on all HTTP traffic
o ASCII only response header – Disables Acceleration on all HTTP traffic
o Block HTTP on non-standard port – Disables Template
o Block HTTP Malicious Encodings – Disables Templates
I have also attached the SmartDefense User Guide.
Disable unnecessary services
In the $FWDIR/conf/fwauthd.conf comment out the following lines
80 fwssd in.ahttpd wait -4
25 fwssd in.asmtpd wait 0
2525 fwssd in.emaild.smtp wait 0
110 fwssd in.emaild.pop3 wait 0
10081 fwssd in.lhttpd wait 0
900 fwssd in.ahclientd wait 900
0 fwssd in.asessiond respawn 0
0 fwssd in.aufpd respawn 0
0 stormd stormd respawn 0
0 sds sdsd respawn 0
0 dtps dtpsd respawn 0
0 dtls dtlsd respawn 0
Upgrade RAM
With the 1 Gig of RAM that you currently have the Checkpoint Max connections would be 225000. I would high recommend you upgrade to the 2 Gig’s of RAM that will allow that 725000 connections. I have included the Nokia documentation below that talks about the memory utilization on flash firewalls and the amount of memory that a connection will use.
Table 2 Flash-Based IP security Platforms:
DRAM CP Max Conns CP Max Conns with Web Intelligence Hash Table size Memory Pool size Max Memory Pool size
512 MB * 90,000 39,000 4 MB 128 MB 196 MB
1 GB 225,000 112,000 8 MB 256 MB 400 MB
2 GB 725,000 304,000 16 MB 800 MB 900 MB
Note: (*) 512MB PCMCIA card required on the IP265 in order to achieve the number (39,000) above.
In case you need to customize these settings, use the following data to determine the exact value as per your need:
Memory Requirements for FireWall-1 NG/NGX
The memory required depends on the kind of connections used:
o For simple connections (accept), overhead_per_connection is ~325 bytes
o For NAT’ed connections: overhead_per_connection is ~542 bytes
o For Resources: overhead_per_connection is ~401 bytes
o For VPN: overhead_per connection is ~399 bytes
o For general overhead: 6mb
Assuming the worst case scenario (NAT):
fwhmem = 6mb + 542 * connections_limit
For 100000 connections it is:
6144*1024 + 542*100000 = 60491456 (57.6 MB)
Keep in mind that FireWall-1 doesn’t actually release the memory used for a TCP connection until about a minute after the connection ends. You should take this into account when planning how many connections you expect to handle.
Write Console Messages to Messages file
The last suggestion at this time is to log the console messages to the messages file. This will increase the CPU and it will not have to wait for Checkpoint to write to the console before it can process the next request. I have included the directions below.
1. Setup a FW-1 kernel debug buffer to store the FW-1 console messages
# fw ctl debug -buf 8192
2. Next flush the debug buffer (setup in step 1) to syslog
# fw ctl kdebug -f | logger &
3. To make this persistent across reboots add the above commands to the rc.local
VN:F [1.9.3_1094]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.3_1094]