I found this article on the Checkpoint web site concerning Solaris performance tuning:

Check Point Software: FireWall-1 Performance Tuning Guide

I will paste the Solaris parts of this document at the end of this message.

My question is this... The performance tuning info provided here was written when Solaris 8 was out. Can someone tell me if this information still holds true for Solaris 10? A lot has changed from 8 to 10 and I'm no 10 expert.

Here is the related info:

Solaris Performance Tuning

Most of the information (unless specifically mentioned) here concerns Solaris version 8. Most of the tunables are also applicable to earlier 2.7 and 2.6 versions. At the same time, if using earlier Solaris versions an upgrade to version 8 is strongly recommended.

1. Always maintain the latest recommended patch level

2. Harden the Solaris for VPN/firewall use

This is not really a performance recommendation, but a rather a very important security issue that requires a dedicated document. Before firewall is installed on a machine, the underlying OS must be secured or 'hardened' for the highest security level possible. Numerous guideline books & documents exist that describe the necessary steps and considerations in detail. A good book to mention is Building Internet Firewalls by D. Brent Chapman and Elizabeth D. Zwicky (O'Reilly, ISBN: 1565921240)

Nevertheless, a few hardening tips that also have a performance bearing are:

- disable all unnecessary network services, daemons, etc.

Comment out all unneeded service entries in /etc/inetd.conf file, definitely turn off netstat, systat, tfpt and finger services. Turn off rshd, rlogind and rexecd daemons; disable NFS if possible (rename or remove /etc/rc3.d/S15nfs.server); if not running VPN-1 GUI client on the Solaris firewall machine kill and disable dtlogin (run /etc/init.d/dtlogin stop and rename or remove /etc/rc2.d/S99dtlogin);

- modify the following IP stack parameters:

in /etc/rc2.d/S69inet:

ndd -set /dev/ip ip_forward_src_routed 0
ndd -set /dev/ip ip_forward_directed_broadcasts 0
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
ndd -set /dev/ip ip_send_redirects 0 (do not issue redirects)
ndd -set /dev/ip ip_ignore_redirect 1 (ignore redirects)

3. When multiple network interfaces or multiport NICs (qfe), set the MAC addresses of different interfaces to different values using ifconfig. By default all four interfaces are assigned the same MAC address. Alternatively set the 'local-mac-address?' variable in eeprom to true:

eeprom 'local-mac-address?=true'

5. Force all LAN network interfaces to maximal speed and full duplex when applicable. Disable auto-negotiation.

For hme (also qfe) driver:

ndd -set /dev/hme instance 0 (1, 2, 3 etc)
ndd -set /dev/hme adv_autoneg_cap 0
ndd -set /dev/hme adv_100fdx_cap 1

repeat the commands above for every instance of the NIC driver

6. Tuning the STREAMS queues for high-throughput VPN-1 gateways

in /etc/system:

set sq_max_size = 100 (for a Solaris gateway with 256MB RAM)

Can produce noticeable throughput improvement.

7. Tuning the TCP hiwater parameters for maximal throughput - affects security servers and logging performance

ndd -set /dev/tcp tcp_xmit_hiwat 65535 (default 8192)
ndd -set /dev/tcp tcp_recv_hiwat 65535 (default 8192)

These values are essentially maximal send and receive buffer sizes. Small but noticeable HTTP security servers performance improvement.

8. Tuning the TCP Slow Start and TCP queue sizes - affects security servers performance

These changes are also recommended for tuning Solaris for maximal HTTP server
performance when the performance improvement can reach 100%.

In the /etc/system:

set tcp:tcp_conn_hash_size = 16384

and in /etc/rc2.d/S69inet:

ndd -set /dev/tcp tcp_slow_start_initial 2 (default 1)
ndd -set /dev/tcp tcp_conn_req_max_q 1024 (default 128)
ndd -set /dev/tcp tcp_conn_req_max_q0 4096 (dafault 1024)
ndd -set /dev/tcp tcp_time_wait_interval 60000 (default 240000)
for Solaris 7 and earlier:
ndd -set /dev/tcp tcp_close_wait_interval 60000 (default 240000)

ndd -set /dev/tcp tcp_fin_wait_2_flush interval 67500 (default 675000)

Small but noticeable HTTP security server performance improvement.

9. Tune the TCP Selective Acknowledgement (SACK) mechanism

In /etc/rc2.d/S69inet:

- turn on for better security servers performance over WAN links

ndd -set /dev/tcp tcp_sack_permitted 1

- turn off for better logging performance over LAN links

ndd -set /dev/tcp tcp_sack_permitted 0

10. Increase the number of open file descriptors - esp. relevant for busy security servers

in /etc/system:

rlim_fd_max = 16384 - 32768 (default 1024, should be at least 2 x tcp_conn_req_max)

11. Change the fsflush behavior
for busy Solaris gateways with more then 128MB RAM, decreases the amount of memory the fsflush scans every time it runs:

in /etc/system:

set autoup = 120 (default 30)

As a result, less time will be spent by the OS on flushing the memory and more on forwarding the packets. (Please note this parameter has been known to cause issues in 3rd Party HA/LB solutions and is currently not supported in those situations)