UTM-1 Edge X stops working on high load

[ggts2008]

Hi All,

I have installed UTM-1 Edge X (Unlimited nodes) with WAN connection of 4 Mbps.

Hardware Type: SBox-200
Hardware Version: 1.3T

The configuration is pretty straight forward - allowing certain TCP ports to DMZ servers. The clients access the DMZ servers via internet.

The issue is, when around 3000 concurrent connections, the Check Point slows down and the clients get a slower response from the box.

According to the specification, in Check Point Software: Check Point Platform Guide: Check Point UTM-1 Edge,
it says the FW throughput is 150 Mbps.

Can somebody let me know how many concurrent connections/FW throughput the box can handle?

Thanks in advance.

[melipla]

Quote:

Originally Posted by ggts2008

According to the specification, in Check Point Software: Check Point Platform Guide: Check Point UTM-1 Edge,
it says the FW throughput is 150 Mbps.

The devices may be sized to handle 150 Mbps, but the question is how close are you to your 4 Mbps limit. If you're hitting the upper limits of the bandwidth that may be an issue.

[ggts2008]

Hi,

Thank you for the reply.

My WAN link utilization never exceeds 2 Mbps.

When I move the the link back to my Linux firewall, everything works fine. I wanted to use check point instead of my linux firewall.

When the concurrent connection hits 3000, Check Point firewall GUI too takes ages to load.

Can you please help?

Thanks in advance.

[Thorpuse]

run the info device command via SSH, and look at the memory usage. Also what firmware version is this?

[ggts2008]

Hi,

Sorry for the delayed reply. I have attached the info device taken during load.

Edge-X runs 7.5.5x firmware.

Thanks.

[mcnallym]

According to the link that you supplied then it states 8000 concurrent connections, so if only at about 3000 then you are within that range.

Personally however I don't run Edge Boxes where I am hosting servers, I always use a full Check Point firewall. I just don't find that the Edge is that great in that environment.

Are you running any of the SMARTDefense or other UTM features on the box, or is it just the straight firewall, with no UTM or SMARTDefense, as this will significantly impact performance.

[Thorpuse]

I would suggest upgrading to 7.5.55. I had load issues with 7.5.50.

Also, PM me if the majority of your connections are VPN connections. I've seen some odd activity with Edge boxes and VPNs on the 7.5.x firmware, and if someone else can corroborate it then I'll log a bug with CP about it.

While the docs say 8000 connections, the reality is much, much less. I would say the stress point kicks in at about 1500-2000 connections, depending on the mature of the traffic and the protections enabled. These are designed for branch offices, with a recommended maximum number of users at around the 50-75 user mark. Anything higher and you really should use a UTM-1 appliance.

[ggts2008]

I tried reducing my network load to try and identify when the Edge X falls over. It's unusably slow at 600 concurrent connections, 5k pps, 1.6Mbit bandwidth usage. Details below:

My network:
The Edge X is exclusively used to firewall a single server in my Data Center. I don't have any LAN users web browsing, or any other traffic through the Edge X. There are no VPN users either.

Edge X has single WAN and LAN interfaces defined. WAN is ethernet with public, and is connected to my Cisco router. Server is on LAN interface.

WAN is 2Mbit pipe with peak usage of ~1.6Mbit. I have a peak of 600 concurrent connections. Entire traffic through the firewall peaks at 4800 packets per second. In this situation, the Edge X web gui becomes very slow (even when I connect from the LAN), and my application lag increases until my users start complaining!


Rules in use:
One "Allow and forward" rule defined on WAN to forward a single tcp port from WAN clients to the server in the LAN.

NAT on LAN interface for packets destined to my server. Server does not use Edge X as default gateway, so I NAT all server connections using LAN IP of the Edge X. Note that by design, NAT is not defined on WAN.

Only these basic firewall rules are in place. I don't have AV/SPAM or VPN running as I don't even have a license to activate these features.


As for the suggestions of using a UTM-1, can you please suggest if the UTM-1 270 is capable of satisfying my load/requirement? Thanks!

[Thorpuse]

I'd upgrade to a UTM-1 270. This will be more than adequate, and the time you'll save on troubleshooting and hacking around with this will easily offset the cost.

[chillyjim]

Not to dissuade you from a UTM-1, and its diagnostics are better than Edge, but you are well within what an Edge should be able to handle. My first guess would be hardware or a port mis-match.