R70 IPS and cores

[mikebgn]

At a recent checkpoint summit I attended, there was mention about the ability in R70 to dedicate some cores just for the IPS piece, and if those cores maxed out, it wouldn't affect other firewall functionality's performace somehow.

In my R70.1 lab, I can't seem to find where to do this, can't find an R70 CoreXL doc, and of course the R65 CoreXL doc doesn't know about the new
R70 IPS piece...

Anyone know how to dedicate cores to the R70 IPS?
Or was this just marketing fluff ;-)
Could be marketing fluff, cause in the same conference, it was said that the R70 "blades" somehow operated in a some kind virtualized architecture which I now know this to be just B.right S.unshine ;-)

It was also mentioned that the IPS can be set to basically "fail open" when its cores were maxed out (not sure why one would want to do this, just pound the IPS and it will fail open - yay ;-) ), anyways, can't find yet how to do that either...

or maybe I was just daydreaming during that conference...

mikebgn

[mcnallym]

IPS Admin Guide for R70 may be a good start.

Pg 27 and 28 Bypass Under Load

Is a simple tick box on the gateway object under IPS.

Look at fw ctl affinity for assigning cores to processes R70 CORE XL is inside the Firewall Admin Guide. This is mentioned in the CORE XL section in the IPS Admin Guide.

Whilst it may be boring the pdf guides usually will at least point you in the right direction.

I haven't even started looking at R70 yet, and I found this in less then 5 minutes!

[mikebgn]

Ah IPS Admin Guide..didn't notice there was one ..thanks alot..
so I wasn't daydreaming :)

mikebgn

[PhoneBoy]

It's not ALL marketing fluff at those summits, you know :)

[mikebgn]

So, I just got off the phone with cpsupport, and according to them and the escalation team lead, there is no way to dedicated certain cores for the IDS piece only. CoreXL allows for certain core affinity for certain processes; fwd, cpd, cprid. However, the IDS piece is part of fwd and cannot be separated out.

So, maybe 97% fluff? ;-)

mikebgn

[PhoneBoy]

I believe IPS is a kernel-level function, not an fwd/userland function. I will look into it.

[PhoneBoy]

One of our IPS whitepapers seem to suggest IPS is tied to the firewall:

https://www.checkpoint.com/products/...chitecture.pdf

Still trying to get a definitive answer to this.

Even if this is true, you can still scale back IPS when the CPU utilization gets high.

[mikebgn]

Thanks phoneboy :)

They also flashed that slide at the conference:
R65 = 0.1
R65 with CoreXL = 0.65
R70 = 2.4 GPS

Now I know how they got 2.4 GPS throughput on R70 with 80% of the IPS enabled; just enable the IPS fail-open bypass! ha ha hee hee ho ho ;-)

mikebgn

[PhoneBoy]

From talking with R&D on this subject, the vast majority of the IPS protections are relatively easy on the CPU. There is a very small number of protections that require a substantial amount of CPU to enforce.

[chillyjim]

The worst of the bunch are the ones that rewrite headers like the "hide my HTTP server's name"

[dominodan]

The 2.4Gbps number below is measured when using the Recommended Profile which includes most of the protections turned on.

In R70 each protection has a Performance Impact associated with it. The only ones that has significant impact are protections are those marked as "Critical". There are only about 10 of them.

[serlud]

Quote:

Originally Posted by mikebgn

Thanks phoneboy :)

They also flashed that slide at the conference:
R65 = 0.1
R65 with CoreXL = 0.65
R70 = 2.4 GPS

Now I know how they got 2.4 GPS throughput on R70 with 80% of the IPS enabled; just enable the IPS fail-open bypass! ha ha hee hee ho ho ;-)

mikebgn

It is much simple just compare CPU speed for minimum HW 2000MHz/300Mhz ~ 7:
R65 = 0.1 (minimum HW PIII 300MHz)
R65 with CoreXL = 0.65 (minimum HW PIII 300MHz)
R70 = 2.4 GPS (minimum HW P4 2000MHz)

[PhoneBoy]

Quote:

Originally Posted by serlud

It is much simple just compare CPU speed for minimum HW 2000MHz/300Mhz ~ 7:
R65 = 0.1 (minimum HW PIII 300MHz)
R65 with CoreXL = 0.65 (minimum HW PIII 300MHz)
R70 = 2.4 GPS (minimum HW P4 2000MHz)

We can take the same piece of hardware on R65 with SmartDefense and see dramatic improvements with R70 and the IPS blade. Even on the lower-end boxes, we see some improvement.

[serlud]

Quote:

Originally Posted by PhoneBoy

We can take the same piece of hardware on R65 with SmartDefense and see dramatic improvements with R70 and the IPS blade.

Yes and not, It will be improved ,but for very known reason (tested by CP with one rule any,any accept, no log and only UDP traffic, all NICs are passing equal ammunt of traffic and so on) in real world we could not reache even 30% of 2,4 Gbit/s on 4 Core CPU..

Why CP is not interesting in real world throughput for IPS+FW , with normal FW policy?

Why not ask customers for providing real CPU (HW) last and trhougput to approximate an real world FW+IPS trhoughput? (with this infomrmation it will be easy to make write decision for which minimum HW and or UTM-1/IP to use, not just Appliance selecting XLS tools , you need 500Mbit/s - use UTM-1 27x - you known this information is too away from real traffic..) it will be just customer feadback...

Why not calculate an real Price for every Mbit/s and provide this information for customer?

[PhoneBoy]

No matter what number we publish for a given platform or what method we use, someone will find fault with it :)

The testing scenario we use for raw performance is, admittedly, not realistic, but it's also a fairly standard (RFC-even) and repeatable test. I believe we use a different method for IPS.

[serlud]

Quote:

Originally Posted by PhoneBoy

No matter what number we publish for a given platform or what method we use, someone will find fault with it :)

But is will be less painfull for customer/service provider to have an real value of FW+IPS thougputs (with normal FW policy, NAT, Logging.. ,. - just average value...of 1000 - Nummber of rules NATs..CPU %...)

[plamy]

Right now the perf tests are apples and apples compared to other vendors.

If we publish non-RFC tests, with "real world" results, enterprising sales folks will point to them and say that CP firewalls are slow compared to xx product, apples and oranges.

It would be nice to have realistic tools for comparison. Our professional services org can generate any profile and tests you want, for money of course.

I know because I've done it in the past for one of our US clients.

[chillyjim]

Quote:

Originally Posted by serlud

But is will be less painfull for customer/service provider to have an real value of FW+IPS thougputs (with normal FW policy, NAT, Logging.. ,. - just average value...of 1000 - Nummber of rules NATs..CPU %...)

If there was an "Average" customer we could do that, but there isn't. You think 1K rules is normal, I yell at customers that have more than 200 rules. That said my heaviest loaded gateway is for a customer that has ~30 fw rules and maybe 50 NAT rules.

If you want your performance numbers, you need capture the traffic you are running through it and we can profile it for you. Nothing else is even going to be close to accurate.

By using the same testing methods as everyone else, you know that give a given set of numbers your results will be X% less.

My recommendation to most people is to use the VPN performance numbers, as they tend to be worst case.

[serlud]

Quote:

Originally Posted by chillyjim

If there was an "Average" customer we could do that, but there isn't. You think 1K rules is normal, I yell at customers that have more than 200 rules. That said my heaviest loaded gateway is for a customer that has ~30 fw rules and maybe 50 NAT rules.

Average result from 1000 customers (not FW/NAT rules).
It is also not neccessary to capture traffic - we can just use SmartView Monitoring.

You will need only CPU% (CPU GHz value) - Througput - fw rules count ,NAT..
With this information you can simple aproximate any values.. ..

Quote:

Originally Posted by plamy

If we publish non-RFC tests, with "real world" results, enterprising sales folks will point to them and say that CP firewalls are slow compared to xx product, apples and oranges.

Why than you publish an unreal price for 1Mbit/s (4$ ? FW test with UDP 1518, one rule - no log) ?
Why not write in the same place that it is price for Checkpoint FW working in routing mode (any any accept - no log)

It is just your sales follks try to provide customer with TESTED Price..- which will be never reached in real world.

[PhoneBoy]

SmartView isn't exactly the best way to capture this information. Sure, you can see what services are being used, but you can't see HOW those services are used (e.g. what's the packet size mix). As chillyjim says, a packet capture of your real traffic flows is the best way.