CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 7 of 7

Thread: HW Balancer

  1. #1
    Join Date
    2017-09-20
    Posts
    3
    Rep Power
    0

    Default HW Balancer

    Hello,
    We are a fairly new Checkpoint 23800s deployment, but have ran into issues of CPU utilization. We've gone through the normal routines in terms of optimizing the boxes as far as can be done under guidance from TAC. We had previously been running in HA mode with FW acceleration enabled, but only saw a minor amount of traffic being accelerated. We moved onto Load-Sharing mode, but have ran into issues with stability and general odd issues popping up as a result of the Load sharing deployment. I was curious if anyone had deployed Checkpoints with a pair of hardware balancers to make a "Firewall" Sandwich. I know there are several things that have to happen in order to avoid Asymmetric routing. I was curious if anyone had experience with this, and if they would mind sharing their input.

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,488
    Rep Power
    16

    Default Re: HW Balancer

    If you look at how vSEC is deployed in AWS or Azure in an autoscale configuration, it's basically a "firewall sandwich" configuration exactly like you describe with no state sync between the firewalls.
    It's certainly possible to do with hardware as well.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  3. #3
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,231
    Rep Power
    13

    Default Re: HW Balancer

    Quote Originally Posted by dgcoy View Post
    Hello,
    We are a fairly new Checkpoint 23800s deployment, but have ran into issues of CPU utilization. We've gone through the normal routines in terms of optimizing the boxes as far as can be done under guidance from TAC. We had previously been running in HA mode with FW acceleration enabled, but only saw a minor amount of traffic being accelerated. We moved onto Load-Sharing mode, but have ran into issues with stability and general odd issues popping up as a result of the Load sharing deployment. I was curious if anyone had deployed Checkpoints with a pair of hardware balancers to make a "Firewall" Sandwich. I know there are several things that have to happen in order to avoid Asymmetric routing. I was curious if anyone had experience with this, and if they would mind sharing their input.
    Firewall performance optimization is a tricky business as there are so many different places bottlenecks can occur. I'd suggest trying tune what you have rather than redesigning your whole network. In general I am not a fan of Load Sharing (Active/Active) for the reasons you discovered. Please provide the output of the following commands run on your active cluster member (ideally during the firewall's typically busiest period) and I can provide a few suggestions:

    fw ver
    installed_jumbo_take (this may return an error which is OK)
    netstat -ni
    fw ctl affinity -l -r
    fwaccel stat
    fwaccel stats -s
    /sbin/cpuinfo
    fw ctl multik stat
    cpstat os -f multi_cpu -o 1
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  4. #4
    Join Date
    2006-09-26
    Posts
    3,171
    Rep Power
    16

    Default Re: HW Balancer

    Quote Originally Posted by ShadowPeak.com View Post
    Firewall performance optimization is a tricky business as there are so many different places bottlenecks can occur. I'd suggest trying tune what you have rather than redesigning your whole network. In general I am not a fan of Load Sharing (Active/Active) for the reasons you discovered. Please provide the output of the following commands run on your active cluster member (ideally during the firewall's typically busiest period) and I can provide a few suggestions:

    fw ver
    installed_jumbo_take (this may return an error which is OK)
    netstat -ni
    fw ctl affinity -l -r
    fwaccel stat
    fwaccel stats -s
    /sbin/cpuinfo
    fw ctl multik stat
    cpstat os -f multi_cpu -o 1
    I have the following questions:

    1- are you by any chance using Microsoft DFS-R replication through this firewalls?
    2- are you by any chance doing a lot of Oracle SQL'net RMAN through this firewalls?

    If your answer is "yes" to either of the questions, there is NOT much Checkpoint can help you :-(

  5. #5
    Join Date
    2017-09-20
    Posts
    3
    Rep Power
    0

    Default Re: HW Balancer

    @ShadowPeak.com

    I know some of the steps here we've gone through already.
    We are still currently running Load Sharing, so fwaccell will be off thanks to Sticky Decision.
    We also are using also Dynamic Dispatch w/ Hyperthreading.
    The version is R80.10 on take 35
    The actual stats will need to be pulled tomorrow as today isn't indicative of our typical work load.


    @cciesec2006
    1. We currently are still running FRS. We will be migrating to DFS-R before long. I was curious what pains you've ran across in this.
    2. No Oracle passing through this. We do have SQL databases, but most of the traffic is localized and doesn't traverse the cluster.
    Last edited by dgcoy; 2017-09-26 at 11:32.

  6. #6
    Join Date
    2006-09-26
    Posts
    3,171
    Rep Power
    16

    Default Re: HW Balancer

    Quote Originally Posted by dgcoy View Post
    @cciesec2006
    1. We currently are still running FRS. We will be migrating to DFS-R before long. I was curious what pains you've ran across in this.
    2. No Oracle passing through this. We do have SQL databases, but most of the traffic is localized and doesn't traverse the cluster.
    I just sent you a private email about the issue I had with Checkpoint and DFS-R. Took TAC like almost a year to get it "somewhat" a work-around. I am pretty sure the issue is not resolved in R80.10.
    Hopefully, you will get better support in R80.10 with DFS-R

  7. #7
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,028
    Rep Power
    14

    Default Re: HW Balancer

    clusterXL load sharing was never good and brings way too many limitations and issues to the table.

    never ever use CXL LS. If you are concerned about platform utilization, convert your physical FW clsuter into VSX, split traffic between virtual systems and use VSLS
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

Similar Threads

  1. Here's a fun one, R75 cluster in front of LVS load balancer, arp problem.
    By sstandps in forum Check Point UTM-1 Appliances
    Replies: 3
    Last Post: 2011-04-15, 09:49
  2. Cisco Load Balancer not working after FW failover
    By cpguy in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 7
    Last Post: 2011-03-14, 15:23
  3. Problems from CP to CSS Load Balancer
    By karimi in forum Interoperability
    Replies: 0
    Last Post: 2007-07-31, 08:42

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •