So...... What's Your Config/Stats?

[rokudan]

Curious about everyone's stats...

Back when I got into managing a CheckPoint system, it was running Firewall-1/VPN-1 version 3.0 on a Windows NT box. Short on money, we put everything into one box... Management Server, Gateway, and Logging... I think it was a Pentium 300 or so, with 256 RAM... We had about 130 users behind it, maybe 20 rules, and a few custom defined objects.. And not too much traffic.. I logged everything in accounting mode... System worked well, never a single crash, except for the time I decided to modify the rules file manually and hosed it... But it typically ran at 60-70% CPU, and 75% memory... Scrolling through the log file was a nightmare, even though I wrote a nice logswitch file, that kept them small... I'll include that at the end for nostalgic purposes...

Anyway, now a days times have changed... And I have a decent setup for our core firewalls...

We have two clusters.

Cluster 1 (Production Firewall)
2 Nokia IP530's

Cluster 2 (Internal Firewall)
2 Nokia IP530's

Both have 512 RAM. And the two do interface together to pass traffic...

Each cluster has it's own policy file, but share , mgmt server, logging and objects. They are currently managed by a single Windows box, and logging to it as well. That Windows box is an out of support Dell Pentium 800 with 1 gig RAM. (Don't worry I am moving to SPLAT on a new box for mgmt, and another new box same for logging.. Both 3GHz and 2 gig RAM)

Total we have about 2000 custom objects, and about 1200 custom services... Each policy has around 200 rules incorporating those objects and services...

We currently run about 5-10% CPU and around 60% memory... On the Gateways... The Mgmt/Logging server runs about 7% except when viewing logs or building/pushing policy, then spikes from 50-100% CPU...

As in the past, they are rock solid, and have yet to let me down... I've some changes to make since taking them over, but that will come in time...

So, what platforms and stats are the rest of you working with?

[RayPesek]

What version of FW-1 are you using?

I had IP530's for a long time on both R55 and R61. On R55, with just a T-1, the CPU ran consistently between 10% and 15% with 512 MB of RAM. Moving it to R61 caused the CPU to run consistently between 45% and 65% with peaks to 80%.

When we increased the bandwidth to 6 M/bps, the CPU would hit 95%+ regularly. Eliminating all of the Internet Explorer SmartDefense checks, because we were patched against all of them, eliminated the high peaks.

The IP530's are just 721 MHz Pentium III's, so they are really underpowered for today's software. I also figure the newer versions are code-optimized for P-IV's.

Ray

[rokudan]

Currently running 55, but in a couple weeks going to 62... Running 61 on a couple other 530's I have, and have not had CPU spikes like that... So hopefully I wont see that on these...

[rokudan]

Upgraded one of my clusters last night to R62... They are still typically running about the same CPU usage, although every once in a while will spike to 70-80%... But typically under 10%... However since we are off peak usage for our customers, I have about 1/4 the connections.. So Monday will be the true test, well actually Tuesday probably since Monday is a holiday...

[sisu-up]

I'm running P1 R65 one MDS and one MLM. The upgrade from R61 to 65 was a bit crazy. P1 R61 HFA03 seems better (faster, more stable) then 65. 40 CMA's and 40 CLM's

The P1 is managing 4 VSX clusters, each running 10 VS's with a single EVR per cluster doing the routing (via ospf) for all VS's. I'm running R60 HFA01 VSX with a three special HF's. Lately I've had a series of cluster crashes in, which require a power cycle. Seems to happen every 6 days. Since March of 2008 I've had over 10 total cluster crashes.

I'm trying to move the VSX to R65, but have run into a few show stoppers that requires deveolpement to fix. I wonder if anyone out there is running R65 VSX on SPLAT.

Some of these cluster will process 15 to 20 milliion connections per day.

Everything is running on Dell 2850's.