checkpoint appliance and microburst

[cciesec2006]

How does checkpoint appliance, the 13500 model, handle microburst traffics?

[jflemingeds]

How does checkpoint appliance, the 13500 model, handle microburst traffics?

It fully tastes the rainbow.

[cciesec2006]

It fully tastes the rainbow.

Is it a joke?

How does checkpoint appliance or checkpoint running on open servers handle microburst traffics?

[jflemingeds]

Is it a joke?

How does checkpoint appliance or checkpoint running on open servers handle microburst traffics?

My guess is rx_missed_errors and/or rx_no_buffer_count go up.

[cciesec2006]

My guess is rx_missed_errors and/or rx_no_buffer_count go up.

is the appliance robust enough to handle microburst traffics?

[cciesec2006]

Has anyone seen this problem with checkpoint firewall running either open servers or Checkpoint appliances? I can't be the only one with this issue.

[ShadowPeak.com]

I assume you are referring to this:

https://en.wikipedia.org/wiki/Micro-...8networking%29

This is more a function of Gaia and its NIC drivers emptying the network ring buffers via SoftIRQ in a timely fashion (or not) and is not necessarily dependent on the specific hardware model. If the ring buffer is full and more frames arrive, an RX-DRP (as shown by netstat -ni) will occur. There is no Active Queue Management (AQM) available in the current Gaia kernel for network buffers (Priority Queuing is something completely different) and tail drops will occur if the ring buffer is full. The upcoming Gaia kernel update will have some AQM capabilities such as CoDel but whether they will be officially supported for use by Check Point is an open question.

Mitigations to this are extensively covered in my book, and consist of (in order of preference):

• Adding more SND/IRQ cores
• Enabling Multi-Queue
• Increasing ring buffer size (only as a last resort due to BufferBloat)
• Increasing SoftIRQ CPU budget (not supported)

[cciesec2006]

I have a very interesting issue. I have 1350 appliances with R77.30 with latest GA JHFA.

I see a lot of drops and rx-drop on the 10G interface even though peaks around 800Mbps. However, if I replace the 10G interface with a 1Gig interface for the same traffic and I see ZERO drops and ZERO rx-drop.

How do you explain that?

TIA.

[ShadowPeak.com]

I have a very interesting issue. I have 1350 appliances with R77.30 with latest GA JHFA.

I see a lot of drops and rx-drop on the 10G interface even though peaks around 800Mbps. However, if I replace the 10G interface with a 1Gig interface for the same traffic and I see ZERO drops and ZERO rx-drop.

How do you explain that?

TIA.

Check status of Ethernet flow control function on the 1Gig interface.

[cciesec2006]

Check status of Ethernet flow control function on the 1Gig interface.

On a 10Gig interface:
ethtool -a eth0
Pause parameters for eth0:
Autonegotiate: on
RX: on
TX: on


On a 1Gig interface:
ethtool -a eth8
Pause parameters for eth8:
Autonegotiate: on
RX: on
TX: off


These are values that comes with installing R77.30. I do NOT make changes to them.

What's next?

[cciesec2006]

I am still looking for solutions on this.