 | ||
 Firewall Performance question | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
 |
| | LinkBack | Thread Tools | Display Modes |
 2 Weeks Ago | |||
| |||
 Firewall Performance question I have a pair of Sun X4200-M2 running NGx R65 2.6 kernel in Active/Standby ClusterXL. These Sun boxes have 4GB RAM on each box. I have about 200 rules in the security policy with about 2000 objects. I have 12 Dell Servers 2950-III, 8GB RAM with dual quad-core processors, 6 servers behind the firewalls and 6 servers outside of the firewall. Everything is connected to a Cisco Catalyst 3750 24 ports 10/100/1000. According to the diagram, when I fired Iperf client x, y and z to hit iperf server 1, 2 and 3, respectively, I could see the Active firewall handle 1Gbps throughput. That's the good part. However, when I fire Iperf client 4, 5 and 6 to hit Iperf servers A, B and C, I could see the traffics on the External interface of the Active firewall dropped to 500Mbps received and 700Mbps transmitted. I know that WITHOUT firewalls, my catalyst can handle > 1Gbps easily both way. My question is this: do these firewalls capable of handling >1Gbps throughput of is it just a marketing ploy by Checkpoint? I am not interested in connection per second, only in firewall throughput. From what I can observe, the Sun X4200-M2 can not handle >1Gbps throughput. Am I wrong here?  |
| 2 Weeks Ago | |||
| |||
| Re: Firewall Performance question There is a lot of things that can effect firewall throughput. My guess is that peak performance on a X4200 would be about 80% of the interface speed. After that point the firewall's rules and other processing come into play. There are a lot of tunning "tricks" to improve performance including the use of more interfaces (Yes this is a real PIA for most designs) and rule-base optimization with SecureXL. I'm assuming this is on a lab environment, so to get a base line, load a gateway with Solaris X86 and enable routing to see how much throughput you have there (You can load a Linux build for this too if you know how). Then try your test with one gateway and an "Any Any Accept No-log" rule. That will give you the baseline for the FW's throughput (This is also how all firewall throughput is reported, not just Check Point's). As for can you get better than a Gbps through a X4200, yes if you have more than one pair of interfaces going. |
|
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
