R75.40vs Hardware

[ra3ac]

Hi, I know VE is no VSX but this is the closest section to my issue. SOrry my first port is a request for info

My work want run run GAIA R75.40vs; but the appliance costs are stupidly high. I have found recomended hardware for R67, but nothing for R75.40vs. I need a server capable or hosting 20 lightly used VS's with IPS and preferably have 10G interfaces.

Any recomendations?

Thanks

[bmolnar]

Hi, I know VE is no VSX but this is the closest section to my issue. SOrry my first port is a request for info

My work want run run GAIA R75.40vs; but the appliance costs are stupidly high. I have found recomended hardware for R67, but nothing for R75.40vs. I need a server capable or hosting 20 lightly used VS's with IPS and preferably have 10G interfaces.

Any recomendations?

Thanks

Both Dell and HP seem to be the most used and supported Open Server by Check Point and both support 10gb NICs. I'd suggest at least 8gb of RAM (RAM is cheap), the CPU is up to you (just disable HT). Obviously the faster CPU(s) you have, the better your server will perform. For a Dell server, get a R710 with the X520 NIC. For an HP, get a DL380 G7 with a NC550SFP nic.

There are a couple places you can check to find out what the actual appliance specs are if you were consider using them as a reference point

[ra3ac]

Thanks for the reply. The open servers are more cost effective but I'm struggling to find info on how many VS's an open server can handle.

Initially we only need 20 VS's but I don't know our future needs - it may be worth paying the extra for an appliance just for scalability.

Are there any tools or rule of thumb to determine how many VS's an open server can handle? I know it depends on throughput and blades but there must be a way to determine if your current VSX firewall could handle another 10 VS license bundle.

[bmolnar]

Yes, it is hard to judge for an open server. According to the Specifications tab on Virtual Systems | Check Point, a 12200 appliance says it'll support 20 Virtual Systems. That appliance has a quad-core Core i5 750 with 4gb RAM, so as long as you spec your open server better than that, you shouldn't have a problem at all. RAM is pretty cheap. Upgrading a CPU or adding a second one tend to be a little pricier.

[ra3ac]

As an example, on our current VSX R67 open server environment we have either of these CPU's - no way of telling but assume we have the Quad cores on the VSX environment
4 x x3650 M2 XQC(E5506)2.13/4Gb/SS/1x675W
4 x Quad-Core Intel Xeon Processor E5506 2.13GHz

Whith the below stats its looks like we are runnig at 100% CPU but the top command and process load section states its idle. No idea how much load this server can take

[BCA-VSX-FWL-01:0]# cpstat os -f all

Product Name: SVN Foundation
SVN Foundation Major Version: 6
SVN Foundation Minor Version: 5
SVN Foundation Service Pack: 0
SVN Foundation Version String: NGX R67
SVN Foundation Build Number: 650000066
SVN Foundation Status code: 0
SVN Foundation Status short: OK
SVN Foundation Status long: OK
OS Name: SecurePlatform Pro
OS Major Version: -
OS Minor Version: -
OS Build Number: -
OS SP Major: -
OS SP Minor: -
OS Version Level: NGX Ecuador


Interface configuration table
---------------------------------------------------------------------------
|Name |Address |Mask |MTU |State|Mac Address|Description |
---------------------------------------------------------------------------
|lo | 127.0.0.1| 255.0.0.0|16436| 1| |Not supported|
|eth16| 1.1.1.1|255.255.255.252| 1500| 1|äA/Ì |Not supported|
|eth17| 0.0.0.0| 0.0.0.0| 1500| 0|äA/Î |Not supported|
|usb0 | 0.0.0.0| 0.0.0.0| 1500| 0|æF; |Not supported|
|eth0 |10.197.14.150| 255.255.255.0| 1500| 1| |Not supported|
|eth1 | 0.0.0.0| 0.0.0.0| 1500| 1| |Not supported|
|eth2 | 0.0.0.0| 0.0.0.0| 1500| 1| |Not supported|
|eth3 | 0.0.0.0| 0.0.0.0| 1500| 1| |Not supported|
|eth4 | 0.0.0.0| 0.0.0.0| 1500| 1| |Not supported|
|eth5 | 0.0.0.0| 0.0.0.0| 1500| 1| |Not supported|
|eth6 | 0.0.0.0| 0.0.0.0| 1500| 1| |Not supported|
|eth7 | 0.0.0.0| 0.0.0.0| 1500| 1| |Not supported|
|eth8 | 0.0.0.0| 0.0.0.0| 1500| 1| |Not supported|
|eth9 | 0.0.0.0| 0.0.0.0| 1500| 1| |Not supported|
|eth10| 0.0.0.0| 0.0.0.0| 1500| 1| |Not supported|
|eth11| 0.0.0.0| 0.0.0.0| 1500| 1| |Not supported|
|eth12| 0.0.0.0| 0.0.0.0| 1500| 1| |Not supported|
|eth13| 0.0.0.0| 0.0.0.0| 1500| 1| |Not supported|
|eth14| 0.0.0.0| 0.0.0.0| 1500| 1| |Not supported|
|eth15| 0.0.0.0| 0.0.0.0| 1500| 1| |Not supported|
---------------------------------------------------------------------------



Routing table
-----------------------------------------------------
|Destination|Mask |GateWay |Interface|
-----------------------------------------------------
| 1.1.1.0|255.255.255.252| 0.0.0.0|eth16 |
|10.197.14.0| 255.255.255.0| 0.0.0.0|eth0 |
| 127.0.0.0| 255.0.0.0| 0.0.0.0|lo |
| 0.0.0.0| 0.0.0.0|10.197.14.254|eth0 |
-----------------------------------------------------

Total Virtual Memory (Bytes): 8208924672
Active Virtual Memory (Bytes): 2220064768
Total Real Memory (Bytes): 4022300672
Active Real Memory (Bytes): 2220064768
Free Real Memory (Bytes): 1802235904
Memory Swaps/Sec: -
Memory To Disk Transfers/Sec: -
CPU User Time (%): 14
CPU System Time (%): 86
CPU Idle Time (%): 0
CPU Usage (%): 100
CPU Queue Length: -
CPU Interrupts/Sec: 0
CPUs Number: 8
Disk Servicing Read\Write Requests Time: -
Disk Requests Queue: -
Disk Free Space (%): 94
Disk Total Free Space (Bytes): 3391242240
Disk Available Free Space (Bytes): 3206176768
Disk Total Space (Bytes): 3585359872


Processors load
---------------------------------------------------------------------------------
|CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec|
---------------------------------------------------------------------------------
| 1| 0| 2| 98| 2| ?| 0|
| 2| 0| 0| 99| 1| ?| 0|
| 3| 0| 0| 100| 0| ?| 0|
| 4| 0| 0| 99| 1| ?| 0|
| 5| 0| 0| 100| 0| ?| 0|
| 6| 0| 0| 99| 1| ?| 0|
| 7| 0| 0| 100| 0| ?| 0|
| 8| 0| 0| 100| 0| ?| 0|
---------------------------------------------------------------------------------



Partitions space
-----------------------------------------------------------------------------------------------------------------
|Partition|Size (bytes)|Used (bytes)|Free total (bytes)|Free total (%)|Free available (bytes)|Free available (%)|
-----------------------------------------------------------------------------------------------------------------
|/ | 1035722752| 569671680| 466051072| 44| 412590080| 39|
|/boot | 151310336| 11510784| 139799552| 92| 131987456| 87|
|/opt | 3585359872| 194117632| 3391242240| 94| 3206176768| 89|
|/sysimg | 1553612800| 114835456| 1438777344| 92| 1358585856| 87|
|/var |279251546112| 592609280| 278658936832| 99| 264244957184| 94|
-----------------------------------------------------------------------------------------------------------------

System Time: 1344511769
System Start Time: 1332669981




Top Command:
top - 12:34:11 up 283 days, 23:24, 1 user, load average: 0.06, 0.05, 0.00
Tasks: 119 total, 1 running, 118 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.0%us, 0.0%sy, 0.0%ni, 99.5%id, 0.3%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 29093852k total, 2168352k used, 26925500k free, 262372k buffers
Swap: 4088500k total, 0k used, 4088500k free, 1112716k cached

[PhoneBoy]

One thing to point out is the R75.40VS is Multicore capable (R67 is not) and can run in 64bit (if you have 6GB of RAM or more), so you should see better overall capacity on your existing system (not necessarily better throughput).

In general, the guidelines we post on VS capacity per appliance are recommendations. Actual capacity will depend on a number of factors, including utilization and Software Blades used.

[bmolnar]

Looks like you're running into sk36634, "SmartView Monitor constantly displays CPU load on gateway at 100%" and the fix for you is in VSX NGX R67.10. Essentially, 'top' is correct but the Check Point tools have an error reading /proc/stat for CPU usage

[ra3ac]

Thanks for the info guys - the SK info is really interesting.