Performance Pack
Introduction to Performance Pack
Performance Pack is a software acceleration product installed on Security Gateways. Performance Pack uses SecureXL technology and other innovative network acceleration techniques to deliver wire-speed performance for Security Gateways.
Performance Pack is supported on:
- SecurePlatform
- To install SecureXL, run:
sysconfig - To enable SecureXL, run:
cpconfig
- Gaia
- On Gaia, Performance Pack is automatically installed when you run the First Time Wizard.
- To enable SecureXL, run:
cpconfig
Supported Features
These security functions are enhanced by Performance Pack:
- Access control
- Encryption
- NAT
- Accounting and logging
- Connection/session rate
- General security checks
- IPS features
- CIFs resources
- ClusterXL High Availability and Load Sharing
- TCP Sequence Verification
- Dynamic VPN
- Anti Spoofing verifications
- Passive streaming
- Drop rate
Preparing the Performance Pack
For optimal performance, configure the BIOS and NICs for Performance Pack.
BIOS Settings
- If your BIOS supports CPU clock setting, make sure that the BIOS is set to the actual CPU speed.
- If you are running Performance Pack on a machine with Intel Xeon CPUs, it is recommended to disable Hyper-Threading.
Network Interface Cards
- If you are using a motherboard with multiple PCI or PCI-X buses, make sure that each Network Interface Card is installed in a slot connected to a different bus.
- If you are using more than two Network Interface Cards in a system with only two 64bit/66Mhz PCI buses, make sure that the least-used cards are installed in slots connected to the same bus.
For an updated list of certified Network Interface Cards, see Certified Network Interfaces.
|
Note - Performance Pack is automatically disabled on PPTP and PPPoE interfaces
|
Installing during a SecurePlatform Gateway Installation
During the Check Point SecurePlatform installation process, select the following products from the list of products to install:
- Security Gateway
- Performance Pack
Installing on SecurePlatform Gateway
Performance Pack can be installed on a Security Gateway on SecurePlatform.
- Type sysconfig to enter the configuration menu.
- Select Products Installation.
- Follow the instructions until reaching the product selection screen.
- Select Performance Pack.
- Follow the instructions until finish.
- Exit the configuration menu.
- Reboot the gateway.
Installing on Installed SecurePlatform Gateway with HFA
If the SecurePlatform Security Gateway has a customer release, minor release, hotfix, or hotfix accumulator (HFA) installed on top of the main gateway version, use these steps.
- Type sysconfig to enter the configuration menu.
- Select Products Installation.
- Follow the instructions until reaching the product selection screen.
- Select Performance Pack.
- Follow the instructions until finish.
- Select Products Configuration.
- Disable Check Point SecureXL.
- Exit the configuration menu.
- Reboot the gateway.
- Upgrade the Performance Pack using SmartUpdate or from command line.
Upgrading with SmartUpdate
We recommend that you use SmartUpdate to upgrade Performance Pack.
To upgrade with SmartUpdate:
- Select SmartUpdate from Check Point SmartConsole.
- From the Packages menu, select Add > From File….
- Select the HFA package and wait until the uploading finished.
- From the Package Repository, select the Performance Pack package and drag it to the appropriate gateway.
- Follow the instructions until finished.
Upgrading with the Command Line
If SmartUpdate is not an option, you can update with the command line.
- Change to the directory where the upgrade file (.tgz) is located.
- Run: tar –xzvf <filename>
- Change to the directory.
- Run: tar –xzvf <sim filename>
- Run the sim executable.
Command Line
fwaccel
Description
|
Lets you dynamically enable or disable acceleration for IPv4 traffic while a Security Gateway is running. The fwaccel6 has the same functionality for IPv6 traffic. The default setting is determined by the setting configured with cpconfig. This setting reverts to the default after reboot.
Works with the IPv4 kernel.
|
Syntax
|
fwaccel [on|off|stat|stats|conns|templates]
|
Parameters
|
Parameter
|
Description
|
on
|
Starts acceleration
|
off
|
Stops acceleration
|
stat
|
Shows the acceleration device status and the status of the Connection Templates on the local Security Gateway.
|
stats
|
Shows acceleration statistics.
|
stats -s
|
Shows more summarized statistics.
|
stats -d
|
Shows dropped packet statistics.
|
conns
|
Shows all connections.
|
conns -s
|
Shows the number of connections defined in the accelerator.
|
conns -m max_entries
|
Limits the number of connections displayed by the conns command to the number entered in the variable max_entries.
|
templates
|
Shows all connection templates.
|
templates -m max_entries
|
Limits the number of templates displayed by the templates command to the number entered in the variable max_entries.
|
templates -s
|
Shows the number of templates currently defined in the accelerator.
|
|
|
fwaccel6
Description
|
Lets you enable or disable acceleration dynamically while a Security Gateway is running. The default setting is determined by the setting configured using cpconfig. This setting goes back to the default after reboot.
Works with the IPv6 kernel.
|
Syntax
|
fwaccel6 [on|off|stat|stats|conns|templates]
|
Parameters
|
Parameter
|
Explanation
|
on
|
Starts IPv6 acceleration.
|
off
|
Stops IPv6 acceleration.
|
stat
|
Shows the acceleration device status and the status of the Connection Templates on the local Security Gateway.
|
stats
|
Shows summary acceleration statistics.
|
stats -s
|
Shows detailed summarized statistics.
|
conns
|
Shows all IPv6 connections.
|
conns -s
|
Shows the number of IPv6 connections currently defined in the accelerator.
|
conns -m <max_entries>
|
Lowers the number of IPv6 connections shown by the conns command to the number entered in the variable max_entries.
|
templates
|
Shows all IPv6 connection templates.
|
templates -m max_entries
|
Lowers the number of templates shown by the templates command to the number entered in the variable max_entries.
|
templates -s
|
Shows the number of templates currently defined for the accelerator.
|
|
|
Example: fwaccel6 stat
Description
|
The fwaccel6 stat command displays the acceleration device status and the status of the Connection Templates on the local Security Gateway.
|
Example
|
fwaccel6 stat -all
|
Output
|
Accelerator Status : on
Accept Templates : enabled
Accelerator Features : Accounting, NAT, Routing, HasClock, Templates, Synchronous, IdleDetection, Sequencing, TcpStateDetect, AutoExpire, DelayedNotif, TcpStateDetectV2, CPLS, WireMode, DropTemplates
|
|
|
Example: fwaccel6 templates
Description
|
The fwaccel6 templates command displays all the connection templates
|
Example
|
fwaccel6templates
|
Output
|
Source SPort Destination DPort PR Flags LCT DLY C2S i/f S2C i/f
--------------------------------------- -----
--------------------------------------- ----- -- ------- ----
--- --------- ---------
9999:b:0:0:0:0:0:10 * 9999:b:0:0:0:0:0:20 10000 17 ....... 15 0 Lan5/Lan1 Lan1/Lan5
|
|
|
Example: fwaccel6 stats
Description
|
The fwaccel6 stats command displays acceleration statistics
|
Example
|
fwaccel6 stats
|
Output
|
Name Value Name Value
-------------------- ---------------
-------------------- ---------------
conns created 11 conns deleted 7
temporary conns 0 templates 1
nat conns 0 accel packets 2
accel bytes 96 F2F packets 39
ESP enc pkts 0 ESP enc err 0
ESP dec pkts 0 ESP dec err 0
ESP other err 0 espudp enc pkts 0
espudp enc err 0 espudp dec pkts 0
espudp dec err 0 espudp other err 0
AH enc pkts 0 AH enc err 0
AH dec pkts 0 AH dec err 0
AH other err 0 memory used 0
free memory 0 acct update interval 3600
current total conns 4 TCP violations 0
conns from templates 0 TCP conns 0
delayed TCP conns 0 non TCP conns 4
delayed nonTCP conns 0 F2F conns 3
F2F bytes 2848 crypt conns 0
enc bytes 0 dec bytes 0
partial conns 0 anticipated conns 0
dropped packets 0 dropped bytes 0
nat templates 0 port alloc templates 0
conns from nat tmpl 0 port alloc conns 0
port alloc f2f 0
|
|
|
|
fwaccel stats and fwaccel6 stats
The fwaccel stats and fwaccel6 stats commands show performance statistics. This information can help you understand traffic behavior and help investigate performance issues.
Statistic parameter
|
Explanation
|
conns created
|
Number of created connections
|
conns deleted
|
Number of deleted connections
|
temporary conns
|
Number of temporary connections
|
templates
|
Number of templates currently handled
|
nat conns
|
Number of NAT connections
|
accel packets
|
Number of accelerated packets
|
accel bytes
|
Number of accelerated traffic bytes
|
F2F packets
|
Number of packets handled by the VPN kernel in slow-path
|
ESP enc pkts
|
Number of ESP encrypted packets
|
ESP enc err
|
Number of ESP encrypted errors
|
ESP dec pkts
|
Number of ESP decrypted packets
|
ESP dec err
|
Number of ESP decrypted errors
|
ESP other err
|
Number of ESP other general errors
|
espudp enc pkts
|
Not in use
|
espudp enc err
|
Not in use
|
espudp dec pkts
|
Not in use
|
espudp dec err
|
Not in use
|
espudp other err
|
Not in use
|
AH enc pkts
|
Not in use
|
AH enc err
|
Not in use
|
AH dec pkts
|
Not in use
|
AH dec err
|
Not in use
|
AH other err
|
Not in use
|
memory used
|
Not in use
|
free memory
|
Not in use
|
acct update interval
|
Accounting update interval in seconds
|
current total conns
|
Number of connections currently handled
|
TCP violations
|
Number of packets which are in violation of the TCP state
|
conns from templates
|
Number of connections created from templates
|
TCP conns
|
Number of TCP connections currently handled
|
delayed TCP conns
|
Number of delayed TCP connections currently handled
|
non TCP conns
|
Number of non TCP connections currently handled
|
delayed nonTCP conns
|
Number of delayed non TCP connections currently handled
|
F2F conns
|
Number of connections currently handled by the VPN kernel in slow-path
|
F2F bytes
|
Number of traffic bytes handled by the VPN kernel in slow-path
|
crypt conns
|
Number of encrypted connections currently handled
|
enc bytes
|
Number of encrypted traffic bytes
|
dec bytes
|
Number of decrypted traffic bytes
|
partial conns
|
Number of partial connections currently handled
|
anticipated conns
|
Number of anticipated connections currently handled
|
dropped packets
|
Number of dropped packets
|
dropped bytes
|
Number of dropped traffic bytes
|
nat templates
|
Not in use
|
port alloc templates
|
Not in use
|
conns from nat tmpl
|
Not in use
|
port alloc conns
|
Not in use
|
port alloc f2f
|
Not in use
|
PXL templates
|
Number of PXL templates
|
PXL conns
|
Number of PXL connections
|
PXL packets
|
Number of PXL packets
|
PXL bytes
|
Number of PXL traffic bytes
|
PXL async packets
|
Number of PXL packets handled asynchronously
|
cpconfig
Check Point products are configured using the cpconfig utility. This utility shows the configuration options of the installed configuration and products. You can use cpconfig to enable or disable Performance Pack. When you select an acceleration setting, the setting remains configured until you change it.
For an alternative method to enable or disable acceleration, see fwaccel.
Run:
A menu shows .
sim affinity
Description
|
The sim affinity utility controls various Performance Pack driver features and applies only for SecurePlatform.
Affinity is a general term for binding Network Interface Card (NIC) interrupts to processors. By default, SecurePlatform does not set Affinity to the NIC interrupts. Therefore, each NIC is handled by all processors. For optimal network performance, make sure each NIC is individually bound to one processor.
|
Syntax
|
sim affinity [-a|-s|-l]
|
Parameters
|
Parameter
|
Description
|
-a
|
Automatic Mode — (default) Affinity is determined by analysis of the load on each NIC. If a NIC is not activated, Affinity is not set. NIC load is analyzed every 60 seconds.
|
-s
|
Manual Mode — Configure Affinity settings for each interface: the processor numbers (separated by space) that handle this interface, or . In Manual Mode, periodic NIC analysis is disabled.
|
-l
|
See Affinity settings.
|
|
|
proc entries
Description
|
Performance Pack supports proc entries. These ead-only entries show data about Performance Pack. The proc entries are in /proc/ppk.
|
Syntax
|
cat /proc/ppk/[conf|ifs|statistics|drop statistics]
|
Parameters
|
Parameter
|
Description
|
conf
|
Shows Performance Pack configuration.
|
ifs
|
Shows the interfaces to which Performance Pack is attached.
|
statistics
|
Shows general Performance Pack statistics.
|
drop statistics
|
Shows Performance Pack dropped packet statistics.
|
|
|
Performance Tuning and Measurement
Setting the Maximum Concurrent Connections
To set the desired number of maximum concurrent connections:
- Open SmartDashboard's Gateway Object Properties window.
- Open the Capacity Optimization tab. Make sure that Calculate connections hash table size and memory pool is set to Automatically.
- Set the desired amount of concurrent connections in the Maximum Concurrent Connections field.
Increasing the Number of Concurrent Connections
You can increase the actual number of concurrent connections by reducing the timeout of TCP and UDP sessions:
- TCP end timeout determines the amount of time a TCP connection will stay in the Firewall connection table after a TCP session has ended.
- UDP virtual session timeout determines the amount of time a UDP connection will stay in the Firewall connection table after the last UDP packet was seen by the gateway.
By reducing the above values, the capacity of actual TCP and UDP connections is increased.
SecureXL Templates
Verify that templates are not disabled using the fwaccel stat command.
For further information regarding SecureXL Templates, see sk32578.
SecureXL NAT templates
Using SecureXL Templates for NAT traffic lets you achieve a high session rate for NAT traffic. SecureXL NAT Templates are supported in cluster in High Availability, VRRP, and Load Sharing modes.
For more, see: sk71200.
Delayed Notification
In the ClusterXL configuration, the Delayed Notification feature is disabled by default. Enabling this feature improves performance (at the cost of connections' redundancy, which can be tuned using delayed notifications expiration timeout).
The fwaccel stats command indicates the number of delayed connections.
The fwaccel templates command indicates the delayed time for each template under the DLY entry.
Connection Templates
Connection templates are generated from active connections according to the policy rules. The connection template feature accelerates the speed at which a connection is established by matching a new connection to a set of attributes. When a new connection matches the template, connections are established without performing a rule match and therefore are accelerated. Connection templates are generated from active connections according to policy rules. Currently, connection template acceleration is performed only on connections with the same destination port.
Examples:
- A connection from 10.0.0.1/2000 to 11.0.0.1/80 — established through Firewall and then accelerated.
- A connection from 10.0.0.1/2001 to 11.0.0.1/80 — fully accelerated (including connection establishment).
- A connection from 10.0.0.1/8000 to 11.0.0.1/80 — fully accelerated (including connection establishment).
HTTP GET requests to specific server will be accelerated since the connection has the same source IP address.
Restrictions
In general, Connections Templates will be created only for plain UDP or TCP connections. The following restrictions apply for Connection Template generation:
Global restrictions:
- SYN Defender — Connection Templates for TCP connections will not be created
- VPN connections
- Complex connections (H323, FTP, SQL)
- NetQuotas
- ISN Spoofing
If the Rule Base contains a rule regarding one of the following components, the Connection Templates will be disabled for connections matching this rule, and for all of the following rules:
- Security Server connections.
- Time objects in the rules.
- Dynamic Objects and/or Domain Objects.
- Services of type "other" with a match expression.
- User/Client/Session Authentication actions.
- Services of type RPC/DCERPC/DCOM.
When installing a policy containing restricted rules, you will receive console messages indicating that Connection Templates will not be created due to the rules that have been defined. The warnings should be used as a recommendation that will assist you to fine-tune your policy in order to optimize performance.
Testing
To verify that connection templates are enabled, use the fwaccel stat command. To verify that connection templates are generated, use fwaccel templates. This should be done while traffic is running, in order to obtain a list of currently defined templates.
Delayed Synchronization
The synchronization mechanism guarantees High Availability. In a cluster configuration, if one cluster member fails, the other recognizes the connection failure and takes over, so the user does not experience any connectivity issue. However, there is an overhead per synchronized operation, which can occasionally cause a system slow-down when there are short sessions.
Delayed synchronization is a mechanism based upon the duration of the connection, with the duration itself used to determine whether or not to perform synchronization. A time range can be defined per service. The time range indicates that connections terminated before a specified expiration time will not be synchronized. As a result, synchronized traffic is reduced and overall performance increases. Delayed Synchronization is performed only for connections matching a connection template.
|
Note - Delayed synchronization is disabled if the log or account are enabled
|
Currently, delayed synchronization is allowed only for services of type HTTP or None. In order to configure delayed synchronization, proceed as follows:
- In SmartDashboard, right click on the Service tab.
- Either edit an existing service or click New and select TCP. The TCP service properties window is shown.
- After defining TCP parameters, click Advanced in the TCP service properties window. The Advanced TCP Service Properties window is shown.
- Select the HTTP or None protocol from the Protocol Type list.
- Check Start synchronizing.
- Define the duration value Seconds after connection initiation. The duration value is specified in seconds.
Multi-Core Systems
Running Performance Pack on multi-core systems may require more advanced configurations to account for core affinity and IRQ behavior. For more information, see sk33250.
Performance Measurement
There are various ways to monitor and measure the performance of a Security Gateway.
TCP State and Benchmarking
Certain testing applications (SmartBits or Chariot) generate invalid TCP sequences. The Security Gateway's TCP state check detects these faulty sequences, and drops the packets. As a result, the benchmark fails. Since these TCP sequences are invalid, they may affect overall Firewall performance.
To disable this type of TCP state check, perform the following operations in SmartDashboard:
- In the IPS tab, select Protections > By Protocol > Network Security > TCP > Sequence Verifier.
- Select the profile assigned to your gateway and click Edit.
- In the Action field, select Inactive.
- Click OK to close the Protections Settings window.
- Click OK to close the Protections Details window.
- Click Install Policy to apply the changes.
Non-accelerated traffic analysis
Use the fwaccel stats command to verify the amount of non-accelerated traffic compared to accelerated traffic.
Use the sim dbg + f2f command to understand the possible reasons for the non-accelerated traffic.
Performance Troubleshooting
Additional CLI commands, such as ethtool, are available to monitor the performance of the gateway. For a list of these commands and explanation of their usage, see sk33781.
|
