CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 14 of 14

Thread: ISP throughput

  1. #1
    Join Date
    2009-12-11
    Posts
    24
    Rep Power
    0

    Default ISP throughput

    All,

    I have a locally managed 1180. We just upgraded the internet pipe from 30 to 200 Mbps. Off the ISP router I see 200 Mbps, but when I plug the ISP router into the 1180 I see the throughput drop to around 50Mbps. I have the firewall and vpn blade running. VPN is sporadically used. Any thing reason for this behavior or some setting I am missing?

    Thanks,

    Bill

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,194
    Rep Power
    13

    Default Re: ISP throughput

    Quote Originally Posted by bingdude View Post
    All,

    I have a locally managed 1180. We just upgraded the internet pipe from 30 to 200 Mbps. Off the ISP router I see 200 Mbps, but when I plug the ISP router into the 1180 I see the throughput drop to around 50Mbps. I have the firewall and vpn blade running. VPN is sporadically used. Any thing reason for this behavior or some setting I am missing?

    Thanks,

    Bill
    Are you sure the 1180 is linking to your router at Gig speed and not Fast Ethernet? Any network errors on the 1180 (netstat -ni), or on the router interface (show interface)?
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  3. #3
    Join Date
    2009-12-11
    Posts
    24
    Rep Power
    0

    Default Re: ISP throughput

    I did shut down some of the unlicensed blades. Only have FW blade running now. Speed test now shows 20Mbs increase up to 80, but not the provisioned 200. I would expect somewhat close to 200 overall. netstat -ni gave me an error. Maybe I need to hard code 1000/full?

    Results of 'ethtool WAN'

    Settings for WAN:
    Supported ports: [ TP MII ]
    Supported link modes: 10baseT/Half 10baseT/Full
    100baseT/Half 100baseT/Full
    1000baseT/Half 1000baseT/Full
    Supports auto-negotiation: Yes
    Advertised link modes: 10baseT/Half 10baseT/Full
    100baseT/Half 100baseT/Full
    1000baseT/Half 1000baseT/Full
    Advertised auto-negotiation: Yes
    Speed: 1000Mb/s
    Duplex: Full
    Port: MII
    PHYAD: 8
    Transceiver: internal
    Auto-negotiation: on
    Link detected: yes

    ifconfig results

    WAN Link encap:Ethernet HWaddr aa:bb:cc:dd:ee
    inet addr:x.x.x.x Bcast:x.x.x.x Mask:255.255.252.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:34441869 errors:0 dropped:0 overruns:0 frame:0
    TX packets:7782299 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:532
    RX bytes:1847394935 (1.7 GiB) TX bytes:1484168801 (1.3 GiB)
    Interrupt:11

  4. #4
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,618
    Rep Power
    8

    Default Re: ISP throughput

    1100 isn't the fastest firewall in the world. That being said it doesn't seem like its overloaded based on netstat -in output. How does top look when you run the speed test?

    Have you tried wiring around the 1100 to see what you get then?

  5. #5
    Join Date
    2006-09-26
    Posts
    3,134
    Rep Power
    15

    Default Re: ISP throughput

    Quote Originally Posted by jflemingeds View Post
    1100 isn't the fastest firewall in the world. That being said it doesn't seem like its overloaded based on netstat -in output. How does top look when you run the speed test?

    Have you tried wiring around the 1100 to see what you get then?
    LOL... He did that in his initial post. "I have a locally managed 1180. We just upgraded the internet pipe from 30 to 200 Mbps. Off the ISP router I see 200 Mbps, but when I plug the ISP router into the 1180 I see the throughput drop to around 50Mbps. I have the firewall and vpn blade running. VPN is sporadically used.

  6. #6
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,618
    Rep Power
    8

    Default Re: ISP throughput

    oops my bad, you are correct.

  7. #7
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,194
    Rep Power
    13

    Default Re: ISP throughput

    Run top while the bandwidth is topping out at 80Mbps (during a speed test or something), is the firewall CPU 100% utilized during this period? If so you may be able to do some tuning to improve performance somewhat, but as noted earlier the 1100 has limited capabilities. If the CPU is not pegged something else is holding you back.

    Not sure if this will work at all on embedded Gaia, but you can try turning your firewall into a pure router with these commands WHICH WILL CAUSE AN OUTAGE:

    fw unloadlocal
    echo 1 > /proc/sys/net/ipv4/ip_forward

    You may need to have your upstream router do a basic overload/hide NAT as the fw unloadlocal disables all firewall enforcement including NAT. What kind of performance do you see with a speed test and the 1100 in this state?
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  8. #8
    Join Date
    2009-12-11
    Posts
    24
    Rep Power
    0

    Default Re: ISP throughput

    Thanks for the suggestions! I'll try that sometime soon and post up the results.

  9. #9
    Join Date
    2006-09-26
    Posts
    3,134
    Rep Power
    15

    Default Re: ISP throughput

    Quote Originally Posted by ShadowPeak.com View Post
    Run top while the bandwidth is topping out at 80Mbps (during a speed test or something), is the firewall CPU 100% utilized during this period? If so you may be able to do some tuning to improve performance somewhat, but as noted earlier the 1100 has limited capabilities. If the CPU is not pegged something else is holding you back.

    Not sure if this will work at all on embedded Gaia, but you can try turning your firewall into a pure router with these commands WHICH WILL CAUSE AN OUTAGE:

    fw unloadlocal
    echo 1 > /proc/sys/net/ipv4/ip_forward

    You may need to have your upstream router do a basic overload/hide NAT as the fw unloadlocal disables all firewall enforcement including NAT. What kind of performance do you see with a speed test and the 1100 in this state?

    This will NOT work if you have NAT in place. How are you going to test this if the PC behind the 1100 has RFC_1918 address space? Unless you're talking about NAT'ing on the ISP router.


    Another approach is to have 1 rule "Any Any Accept" on the 1100 and see if it makes any difference.

  10. #10
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,618
    Rep Power
    8

    Default Re: ISP throughput

    Quote Originally Posted by cciesec2006 View Post
    This will NOT work if you have NAT in place. How are you going to test this if the PC behind the 1100 has RFC_1918 address space? Unless you're talking about NAT'ing on the ISP router.


    Another approach is to have 1 rule "Any Any Accept" on the 1100 and see if it makes any difference.
    yes it will. As Shadow indicated the ISP router would need to do the hide nat function. the only thing he left out would be a static route on ISP router saying how to get to the subnet behind 1100.

    And a any any any accept rule wouldn't show the raw forwarding rate the 1100 is capable of without the overhead of the firewall kernel.

  11. #11
    Join Date
    2006-09-26
    Posts
    3,134
    Rep Power
    15

    Default Re: ISP throughput

    Quote Originally Posted by jflemingeds View Post
    yes it will. As Shadow indicated the ISP router would need to do the hide nat function. the only thing he left out would be a static route on ISP router saying how to get to the subnet behind 1100.

    And a any any any accept rule wouldn't show the raw forwarding rate the 1100 is capable of without the overhead of the firewall kernel.
    yes, Shadow did say it my bad. Not having enough coffee in the morning.

    I sincerely doubt you will get 200Mbps with the ISP doing the hide NAT or PAT (as Cisco calls it). I have a Cisco 3945 router running IOS enterprise code and I can only pull about 60Mbps with the router doing NAT and the CPU on the router is 99% utilization:

    C3945_ISR#sh process cpu | i five
    CPU utilization for five seconds: 99%/35%; one minute: 98%; five minutes: 98%
    C3945_ISR#sh int g0/0 | i rate
    Queueing strategy: fifo
    30 second input rate 60752000 bits/sec, 5359 packets/sec
    30 second output rate 1365000 bits/sec, 2538 packets/sec
    C3945_ISR#

    Therefore, I don't think running hide NAT or PAT on the router will be the true test of throughput. The function of the router is to route traffic. If you ask it to do NAT, the throughput will suffer.

  12. #12
    Join Date
    2015-05-09
    Location
    New York, NY
    Posts
    5
    Rep Power
    0

    Default Re: ISP throughput

    Hey all -

    I had two 1100's and two SG80's at 4 of our offices. VPN connections from one of the 1100's to each of the other units. All the offices had a 125Mbps connection. We only had the VPN and firewall blades active and definitely used NAT.

    I know that the 1100 in the main office was able to handle maxing out the connection both through VPN and just directly to the internet, I don't recall the CPU becoming overwhelmed or any performance issues or added latencies when the bandwidth utilization was high. I used an external SNMP polling service that sampled every 30 seconds as well. We retired the SG80's and 1100s and upgraded the firewalls and internet connections about 6 months back to leverage some next gen features required by compliance.

    Sorry I didn't save the cpu / bandwidth graphs from the old setup, but you should be able to get at least 125Mbps with your setup as well!

    Nick

  13. #13
    Join Date
    2009-12-11
    Posts
    24
    Rep Power
    0

    Default Re: ISP throughput

    So I ran another test trying to get you all results. go figure...it's fixed. Not sure if the ISP configured something on the backend, but I am seeing 200Mbs+ now.

  14. #14
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,618
    Rep Power
    8

    Default Re: ISP throughput

    Quote Originally Posted by bingdude View Post
    So I ran another test trying to get you all results. go figure...it's fixed. Not sure if the ISP configured something on the backend, but I am seeing 200Mbs+ now.
    Whatís that? Itís slow? No everything is fine *cough coughnowcough cough*.

Similar Threads

  1. get VSX throughput by CLI
    By Irek_Romaniuk in forum VPN-1 VSX
    Replies: 1
    Last Post: 2016-03-22, 12:24
  2. Interface Throughput
    By alienbaby in forum Scripts and Tools
    Replies: 1
    Last Post: 2011-10-04, 09:49
  3. R70 - IPS-1 Blade - Throughput
    By manuadoor in forum IPS-1
    Replies: 1
    Last Post: 2011-08-30, 00:56
  4. throughput
    By *tomo* in forum Miscellaneous
    Replies: 0
    Last Post: 2011-07-07, 10:36
  5. CP Throughput
    By jcdavisi in forum Miscellaneous
    Replies: 8
    Last Post: 2006-08-08, 15:33

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •