Issue with pushing policy in R65

[gavvys]

Hi
I have recently insalled R65 on NOKIA 380,on latest IPSO image, I am facing the issue with pushing the policy, when I push the policy it takes lot of time, near about 10 mins, let me know if anybody facing the issue.
Another issue is that if I enable the smartdefence the CPU usage goes very high, it goes near about 80% and makes the system slow.
One more question has anbody faced the issue with licences, I mean to say if we have less checkpoint user licences and having more machines in the network, does it make any issue with the performance of the system, because I have read somewhere that if the number of users exceeds then the licence then it makes the system slow.

Regards
Ranjit

[mcnallym]

Yep SmartDefense will use up CPU. At our last Nokia update then Nokia were saying that really unless you have a multicore or multiple CPU system then SMARTDefense and UTM functionallity on the appliances will be a big performance hit on the unit. There newest appliances are coming out with Dual Core or more and awaiting the IPSO 6.0 update to allow multicore to work properly on them and should resolve some of these options.

Talking with some Check point people last week and they said that even there new UTM appliances start to struggle when you have the SMARTDefense enabled or start doing the UTM AV or URL filtering.

I have found that progressively over NGX then the policy install time has got worse and takes longer and longer with each release. I don't really suggest less then 512Mb for an NGX box these days.

I personally haven't seen anything regarding license count and going slower if exceed the license count, only that get annoying messages in the log file.

[Brittin_C]

Does anyone know if SmartDefense uses other CPUs that the FW Enforcement engine isnt using. By default in SPLAT 2.6?

Or does that require CoreXL?

[chillyjim]

Most of SMDF is run as part of the FW Kernel so it does not use other CPUs. CoreXL/Muli-core will.

[RayPesek]

Your hardware is underpowered.

When we were running R61 on an IP530 (IPSO 4.1) with 512 MB of RAM, a policy push would take a minute or more with 130 rules and most SmartDefense checks enabled. It ran 50% to 100% CPU during the day.

I just put in a Dell 2650 with a single 3 GHz dual core processor and 4 GB of RAM. Now the R65 verify and push takes maybe 20 seconds and it idles about 6%.

Are you running the SmartCenter on the IP380? If so, that will clobber your performance on that hardware as well.

Ray

[mcnallym]

Never run your management on the Nokia as really cripples the box! If you are going to invest the price of a Nokia and a Check Point license then the cost of a SPLAT box is hardly going to be noticed.

[Routerkid1]

get a splat box with 2 gb of ram and your problems will go away.

[Wainer19]

Hi,

Thought I would add my two cents here, I previously had some issues with R65 and according to support;

# R65 is not be supported on: IP130, IP265, and IP530
# R65 UTM (Anti Virus and Web Filtering) is only supported on disk based with 1GB RAM (Hybrid or flash-based systems is NOT supported)
# R65 on Flash-based or Hybrid system requires 1GB RAM and 1GB CF as a minimum
# NGX R65 (no AV and Web Filtering) requires 512MB RAM on Disk-based systems .

I tend to agree with the memory requirements, listed above. Would you run XP with 128M of RAM (minimum needed)... Huge leaps and bounds in R65 since R55 and the min requirements were 256M of RAM... So, I personally wouldn't recommened anything less then 1Gb for R65

[murawai]

I am seeing this issue also with R65. Our policy push now takes serveral minutes and CPU on the mgmt server goes very high during the verification (which is the longest part of the process). We are running Smart Center server on windows Server 2003 with SPLAT enforcement modules. Our Windows server has 2GB RAM and 1.4Ghz processor. I would have thought this would have been OK...

[RayPesek]

Hi Murawai,

How many rules and objects (approximately)? What's the network connectivity between the SmartCenter and the firewalls? Have the NICs been checked for errors and duplex mismatches?

What is the hardware for the management server and the enforcement modules?

My SmartCenter is a SPLAT Dell 1950 with 2 GB of RAM. The enforcement modules are Dell 2950's. A policy verification and push of a 130 rule policy takes about 40 seconds.

Ray