CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 9 of 9

Thread: Per-flow throughput limitations?

  1. #1
    Join Date
    2010-03-23
    Posts
    102
    Rep Power
    11

    Default Per-flow throughput limitations?

    Hello,

    I'm running some benchmarks and seeing some relatively low per-flow performance on our 61k. We've got 4x SSM and 4x SGM 260's if it matters.

    What kind of throughput should we be able to extract from a single session? Are there benchmarks listed somewhere?
    CCMSE+VSX, CCSE+, CCMA

  2. #2
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    7

    Default Re: Per-flow throughput limitations?

    Quote Originally Posted by NetworkNubbin View Post
    Hello,

    I'm running some benchmarks and seeing some relatively low per-flow performance on our 61k. We've got 4x SSM and 4x SGM 260's if it matters.

    What kind of throughput should we be able to extract from a single session? Are there benchmarks listed somewhere?
    What tool you're using for the measurement and what are some values you got? Are you also taking the measurements during peak hours traffic or when at idle?

    Did you also review boxes performance indicators like: CPU, mem, free space, physical internet line speed?

  3. #3
    Join Date
    2010-03-23
    Posts
    102
    Rep Power
    11

    Default Re: Per-flow throughput limitations?

    Quote Originally Posted by laf_c View Post
    What tool you're using for the measurement and what are some values you got? Are you also taking the measurements during peak hours traffic or when at idle?

    Did you also review boxes performance indicators like: CPU, mem, free space, physical internet line speed?
    Hey,

    This device is in a lab, no other traffic other than what's being sent via IXIA/Spirent. If I test with a single flow (IMIX), I'm seeing less than 1Gbps sustained throughput. I can of course scale much higher than that if I add additional flows.

    What's the largest "elephant" flow that the 61k can support? I would have hoped for something near the backplane speed to the SGM (10Gbps?)
    CCMSE+VSX, CCSE+, CCMA

  4. #4
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,659
    Rep Power
    11

    Default Re: Per-flow throughput limitations?

    Thats some pretty specialized gear. I don't think many people have touched that before.

    that being said.. what packet size are you sending? I'm assuming full 1500 byte frames? Also can you show the output of the following from the VS your testing out?

    BTW i don't have any benchmark answers, just wondering how much the 61ks are like the other firewalls.

    fwaccel stat
    fwaccel stats -s
    enabled_blades

    What blades are you running with? I'm guessing this is just firewall?

  5. #5
    Join Date
    2010-03-23
    Posts
    102
    Rep Power
    11

    Default Re: Per-flow throughput limitations?

    Quote Originally Posted by jflemingeds View Post
    Thats some pretty specialized gear. I don't think many people have touched that before.

    that being said.. what packet size are you sending? I'm assuming full 1500 byte frames? Also can you show the output of the following from the VS your testing out?

    BTW i don't have any benchmark answers, just wondering how much the 61ks are like the other firewalls.

    fwaccel stat
    fwaccel stats -s
    enabled_blades

    What blades are you running with? I'm guessing this is just firewall?
    Packet mix is IMIX - just FW today. Not really interested in troubleshooting (think I've done this once or twice..), looking for official single-flow performance numbers. We're doing a bakeoff between Fortinet 5k, CP 61k, and Juniper 5k. So far CP is way, way behind on single flow perf.
    CCMSE+VSX, CCSE+, CCMA

  6. #6
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,659
    Rep Power
    11

    Default Re: Per-flow throughput limitations?

    Quote Originally Posted by NetworkNubbin View Post
    Packet mix is IMIX - just FW today. Not really interested in troubleshooting (think I've done this once or twice..), looking for official single-flow performance numbers. We're doing a bakeoff between Fortinet 5k, CP 61k, and Juniper 5k. So far CP is way, way behind on single flow perf.
    So how bad is it?

    BTW what are you doing with those honking boxes?

  7. #7
    Join Date
    2010-03-23
    Posts
    102
    Rep Power
    11

    Default Re: Per-flow throughput limitations?

    Quote Originally Posted by jflemingeds View Post
    So how bad is it?

    BTW what are you doing with those honking boxes?
    Well... Juniper is handling 100Gbps flows, Check Point is, uh... much less. Not sure we're allowed to disclose actual numbers. I was hoping there'd be an official number somewhere

    Use-Case is just generic DC Core
    CCMSE+VSX, CCSE+, CCMA

  8. #8
    Join Date
    2014-07-21
    Posts
    57
    Rep Power
    7

    Default Re: Per-flow throughput limitations?

    Quote Originally Posted by NetworkNubbin View Post
    Well... Juniper is handling 100Gbps flows, Check Point is, uh... much less. Not sure we're allowed to disclose actual numbers. I was hoping there'd be an official number somewhere

    Use-Case is just generic DC Core
    Hi,

    thank you for sharing this information. We are in need to install a bigger firewall than the 23800 Appliances in our datacenter and we are looking at the 61k - using 260SGMs. At the moment this is not a solution for us because no "VMAC" support on 61k and not all QoS features we need are implemented. Further QoS cannot be done on a bond interface. Dynamic Dispatcher Feature isn't in the actual 61k release, too. So the 61k would be fine because it fits into the infrastructure with the other appliances we have but the problems with "performance" you mentioned could be a reason to look for some other vendor. We are planning with FW, QoS, IPS Blades on the appliance.

    So before we will buy and implement the 61k we will do some further testing.

    PS:
    Looking at the data sheet a 260SGM module only has half of the performance of a 21700 aplliance. So this could be the reason why you only rech low rates with one flow because on CPU is handling this flow and is limited.
    Perhaps something like multi-queue can help on this but I don't know if this is a working feature on the 61k. We did not dig really deep into the 61k universe.

    PPS:
    Even if I could not help you in your case I would be interested in performance data you archived in your lab - if you can post them here.

    Regards.

  9. #9
    Join Date
    2006-04-27
    Location
    Twillight zone
    Posts
    1,010
    Rep Power
    16

    Default Re: Per-flow throughput limitations?

    Obviously distribution of load would be horrible in scenario of single session host to host. You need meshed traffic to reach those impressive numbers and acheive spread.
    But, as this is what you are testing, it doesn't really matter if you have one or 10 SGM's as that type of traffic/test will land on one SGM and single core on that SGM.
    Sure you could mess with ditribution, but thats pointless with host to host test........and then there is correction layer to take into account as well.

    I would suggest that you talk to your Check Point contacts, there are some brilliant people in SP team who deal with performance testing and can give you some inputs, tips and tricks.
    Doubt they want to talk single session performance as its basically useless type of testing, but who knows.

    Anyway, I tested long time ago something similar to still my curiosity on sgm220, 4-6 gig single flow tcp session between 2 hosts...at that time one of the testing devices was fully utilized...

Similar Threads

  1. NEtwork Group Object Limitations
    By mohanar82 in forum R77.20
    Replies: 1
    Last Post: 2015-09-03, 07:54
  2. Shared Secret Limitations
    By weiser in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2012-08-20, 05:21
  3. Kernel Traffic Flow
    By tts00 in forum NAT (Network Address Translation)
    Replies: 3
    Last Post: 2012-04-30, 09:26
  4. Cluster XL limitations
    By wiz999 in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 2
    Last Post: 2010-11-16, 18:40
  5. Limitations to the Unlimited user version?
    By Merlin in forum Check Point UTM-1 Edge Appliances
    Replies: 7
    Last Post: 2007-12-22, 01:59

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •