Appliance Sizing Tool - General Assumptions & Testing Methodology

General Assumptions

Performance Forecasts

• All Recommendations are based on Check Point R76 & R77 Releases.
• On Check Point R77 Release, SMT (also called HyperThreading or HT) was activated on supported appliances (12400 and above).
  
  
• When enabled, SMT doubles the number of logical CPUs on the gateway, which enhances physical processor utilization.
• When SMT is disabled, the number of logical CPUs equals the number of physical cores.


Please Note:
The following blades/features have high memory consumption per instance and therefore it is not recommended to enable SMT if one or more of these features is enabled:
• Data Loss Prevention
• Anti-Virus Traditional Mode
• Using Services with Resources in Firewall policy

Please refer to sk93000 for Full SMT requirements and limitations.



• Performance forecasts are based on typical customer deployment scenarios, variations can be expected upon deployment at different customer networks.

Blade Inspection Policy

In order to apply 'Internet only' traffic to the blade inspection, you should validate the inspection scope on each blade policy.

Appliance Selection tool - Security requirements step.

Testing Methodology

Lab Setup

This section provides general information about the topologies and test-beds of the performance tests for the Appliance Selection Tool.
During the performance tests, the DUT (device under tests) can contain the maximum possible network interfaces connected.

Traffic Blends

Internet Blend

• Represents the type of Internet traffic, security appliances handle on a day-to-day basis.
• Based on customer research conducted by Check Point performance labs.
• Consists from the following Streams/Protocols: HTTP; HTTPS; SMTP; DNS; POP3; FTP; Telnet.
• The majority of the traffic is Internet Access (HTTP).

Full traffic blend description

Data Center Blend

• Check Point empirical study found the following common applications in the Data Center: Web Services, File Stores, Authentication Services, Line-of-Business Applications, Custom Applications and Data Intensive Applications.
• Consists from the following Stream/Protocols : HTTP; HTTPS ; SMTP ; SMB_CIFS ; SQL ; NFS ; SMB_DCERPC ; Oracle ; DNS ; LDAP ; SSH ; FTP.
• Typical Data Center traffic blends consume around 20% more SPU power than Internet traffic blend.

Topology Diagram

SecureXL & CoreXL

• Check Point SecureXL - Enabled.
• Check Point CoreXL - Enabled (Out-of-the-box configuration).

SIM Affinity

Performance Pack is able to utilize architecture of multiple CPUs and Cores. In order to optimize results, Performance Pack attaches different NICs IRQs, to different CPUs or cores. This process is done automatically and by default by Performance Pack.

For these performance tests we used manual assignment in order to achieve maximum results.

Security Management Deployment

Standalone Deployment - Where the gateway and the Security Management server are installed on the same machine.

Distributed Deployment - Where the gateway and the Security Management server are installed on different machines.

Security Policy

Firewall Rule Base

• 100 Firewall Rules.
• Traffic is evenly distributed amongst these rules.

Logging

• All rules are configured to send a log record per connection.

Network Address Translation (NAT)

• Perform on all connections that pass through the Security Gateway.

Software Blades Configuration

IPS Blade

Profile Assignment: Pre-defined Profile: "Recommended_Protection".

Protection Scope: Protect Internal Hosts only.

Mobile Access Blade

• Simulating Mobile Users connecting securely to corporate resources through SSL VPN Portal.
• The sizing of Mobile Access Blade is optimized for portal Scenario. Read Security Knowledge sk96450 for advanced mobile blade sizing with SSL Network Extender (SNX).
• Mobile Access Mode: Integrated.
• Link Translation Method: Path Translation (Default).
• Simulated Web Application: Outlook Web Access.
• Simulated OWA usage profile: Heavy Usage (based on the assumption that remote access users are usually busier with email than in-office users).
• Our Profile is based on MS article describes several OWA usage profiles:

  Actvity per day	Light	Medium	Heavy	Very Heavy
  Messages sent	5	10	20	30
  Messages recieved	20	40	80	120
  Messages read	20	40	80	120
  Messages deleted	10	20	40	60
  Log on and log off	2	2	2	2

  
  The average message size for all profiles is 50 KB.
  
  
• Bandwidth for Heavy OWA Profile: Every User will generate network traffic of 50KB per Minute.
• 2% of the users are generating new login traffic - for each 100 concurrent users, there are 2 concurrent new login requests per second.
• Secure Work Space's (SWS) contribution to SPU is already weighted in the sizing calculation.

IPSEC VPN Blade

• Simulating VPN Remote Access Clients connecting securely to corporate resources.
• Bandwidth per User: 20Kbps.
• IPSEC Security Association (Phase 2): Encryption Algorithm: AES128.

Anti-Bot & Anti-Virus Blades

• Out-of-the-box configuration.
• According to the Anti-Bot and Anti-Virus Policy.
• Up to date Signatures.

Application Control & URL Filtering Blades

• Out-of-the-box configuration.
• Up to date Signatures.

Data Loss Prevention Blade

• Default Deployment - Uses the Data Loss Prevention policy provided Out of the Box.
• Out-of-the-box Data Loss Prevention with a basic policy (DLP Software Blade comes with a large number of built-in data types that can be quickly applied as a default policy).
• Default Applied Protocols: Email (Scan outgoing Emails).

Threat Emulation Blade

• Emulation Location: 'Check Point ThreatCloud Emulation' / 'Private Cloud Emulation'.
• Out of the box Threat Emulation Profile.
• File emulation rate: Emulated file for every 250MB of traffic.