Worldwide Technical ServicesSearchAbout UsPartnersOPSECHomeSalesServicesProductsCheck Point Software Technologies
 
Enterprise 4.1 Installation Guide
Latest Enterprise 4.1 Release Notes
 
Alerts Information
Contacting Tech Support
Licensing Information
Public Support
Public Configuration Docs
Locate a Support Provider
Resource Library
SecureKnowledge
Software Subscription
Supported Applications
Support Contracts
   
Downloads
Free Downloads
   
Premium Support
   
 
FireWall-1 Performance Tuning Guide
 
This document is a suggested guide of methods and techniques that affect various aspects of Check Point FW-1 & VPN-1 products (later referred to as VPN-1) performance on different platforms. The document is organized into logical sections by the nature of the changes (OS vs. VPN-1 parameters tuning) as well as by the VPN-1 OS platform.
This document is meant to be a "work in progress" and we will try to update it with new "tricks" as we discover and test them.
I. General Performance Considerations
This section contains general recommendations that can significantly improve the VPN-1 performance.
These rules are platform independent and do not require any special tuning.
  1. Place the most commonly accessed rules on top of the rulebase
  2. Keep the rulebase small & simple. Reduce the number of rules by combining similar rules
  3. Avoid using Domain objects
  4. Use Networks instead of address ranges in NAT
  5. Disable VPN-1 control connections whenever possible
  6. Disable Decrypt on accept property if not using encryption.
  7. Keep logging to a minimum.
  8. If using Session Authentication, use Implicit Client Authentication (described in VPN-1 parameters tuning section)
Hardware Considerations
The hardware spec that affects VPN-1 performance by far the most is processor speed. Use a machine with the fastest CPU available. 128 MB of RAM is a minimum for a high performance firewall system.
  • SMP (2-4 CPUs) has the most effect on Resource and VPN policies performance (up to 35-54% performance improvement). Make sure to run multiple instances of security servers (see the VPN-1 Tuning chapter).
  • Single 32bit/33Mhz PCI bus bandwidth can be a bottleneck on fast systems (especially when running Linux version of VPN-1). The solution is to use faster 64bit/66Mhz PCI busses or multiple 32bits/33Mhz PCI busses.
  • VPN-1 with Gigabit Ethernet NICs performs slightly better then with multiple Fast Ethernet NICs (on multiple network segments or when using 'trunking' or 'teaming') even at Fast Ethernet speeds.
II. OS & TCP/IP Stack Tuning Guidelines
This section concentrates on ways to tune the underlying OS for maximal VPN-1 performance.
The section is divided into subsections by a specific OS.
Solaris Performance Tuning
Most of the information (unless specifically mentioned) here concerns Solaris SPARC version 2.6. Most of the tunables are also applicable to earlier (2.5.X) versions. At the same time, if using earlier Solaris versions an upgrade to 2.6 is strongly recommended.

Tests we run to insure mutual compatibility of the changes introduced in this section. Unless specifically mentioned, the tunables do not conflict.


1. Disable all unnecessary network services, daemons, etc.

Comment out all unneeded service entries in /etc/inetd.conf file - turn off netstat, systat, tfpt and finger services. Turn off rshd, rlogind and rexecd daemons; disable NFS if possible (rename or remove /etc/rc3.d/S15nfs.server); if not running VPN-1 GUI client on the firewall machine kill and disable dtlogin (run /etc/init.d/dtlogin stop and rename or remove /etc/rc2.d/S99dtlogin);


2. Set Sun's quad Fast Ethernet NIC (qfe) MAC addresses to different values.

When using a quad (qfe) network interface card, set the MAC addresses of different interfaces to different values using ifconfig. By default all four interfaces are assigned the same MAC address.
May yield significant improvement in throughput.


3. Force all LAN network interfaces to maximal speed and full duplex when applicable. Disable auto-negotiation.

For hme (also qfe) driver:

ndd -set /dev/hme adv_autoneg_cap 0
ndd -set /dev/hme adv_100fdx_cap 1


4. Tuning the TCP hiwater parameters for maximal throughput - affects security servers performance.

ndd -set /dev/tcp tcp_xmit_hiwat 65535         (default 8192)
ndd -set /dev/tcp tcp_recv_hiwat 65535         (default 8192)

These values are essentially maximal send and receive buffer sizes.
Small but noticeable HTTP proxy performance improvement.


5. Tuning the TCP Slow Start and TCP queue sizes - affects security servers performance.

These changes are also highly recommended for tuning Solaris for maximal HTTP server performance.

In the /etc/system:

set tcp:tcp_conn_hash_size = 16384

ndd -set /dev/tcp tcp_slow_start_initial 2                  (default 1)
ndd -set /dev/tcp tcp_conn_req_max_q 1024             (default 128)
ndd -set /dev/tcp tcp_conn_req_max_q0 4096           (default 1024)
ndd -set /dev/tcp tcp_close_wait_interval 60000       (default 240000)

Small but noticeable HTTP proxy performance improvement.


6. Increase the number of open file descriptors - esp. relevant for busy security servers

in /etc/system:

rlim_fd_max = 16384 - 32768    (default 1024, should be at least 2 x tcp_conn_req_max)

Windows NT Performance Tuning

Unless specifically mentioned, the recommendations in this section relate to Windows NT Server 4.0.

1. The most obvious, but often forgotten item - set the NT memory strategy to "Maximize Throughput for Network Applications".
By default it is set to "Maximize Throughput for File Sharing" which allocates all available to NT memory to file cache. Set under Control panel -> Network -> Server.


2. Disable all unneeded services and drivers.

Disable all of these:
Services: Alerter, Computer Browser, DHCP client, Messenger, Server, Task Scheduler
Devices: Parallel, ParPort, ParVdm, Serial, WINS Client
Also unbind the Netbios Interface and Wins Client (TCP/IP) from the network bindings.


3. Disable performance boost for foreground applications.

Set in ControlPanel -> System -> Performance. Move the Application Performance slider to None.
This gives the security servers the maximum amount of system resources.


4. Pagefile optimization.

Create a fixed size (do not allow it to grow dynamically) page file of at least 2 times the amount of RAM available on a another (preferably dedicated) disk drive.

5. Tuning TCP/IP registry values to improve network performance.

Parameters that affect the IP forwarding performance:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
\ForwardBufferMemory = 296960

REG_DWORD, multiple of 256, default 74240. Buffer the IP allocates to store packet data in the router queue. The default value is enough for 50 1480-byte packets.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
\NumForwardPackets = 200

REG_DWORD, default 50. Number of IP headers allocated for router queue. Should be at least as large as ForwardBufferMemory / IP data size of the network.

Increasing these two parameters can have significant effect on throughput especially with 'slow' policies. Also good for FloodGate-1 tuning.

Other TCP/IP stack parameters:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
\TcpWindowSize

REG_DWORD, default 8760 for Ethernet. Larger TCP receive window size will improve performance over high-speed networks. For highest efficiency should be even multiple of TCP Maximum Segment Size (MSS).

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
\MaxFreeTcbs = 0xFA0

REG_DWORD, default 2000, timewait table size

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
\MaxHashTableSize = 0x400

REG_DWORD, default 512, TCB hash table size

Increase the number of TCP user ports available to applications - prevents the security server from running out of ports:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
\MaxUserPort = 65534

REG_DWORD, default 5000

Note: The NT registry keys mentioned in this document for improving IP Forwarding under HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Tcpip\Parameters, such as \ForwardBufferMemory, do NOT exist by default. They have to be manually created.


6. Tuning the general Windows NT network interface (NIC) parameters for maximal performance.

Change the ProcessorAffinityMask:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NDIS\Parameters
\ProcessorAffinityMask = 0

This improves the CPUs servicing of interrupts and DPCs generated by the network interface card(s). Also unties the NIC from a specific CPU.


7. Tuning the specific vendor's NIC parameters for maximal performance.

Tuning the relevant NIC parameters can have significant performance effect.

Although the NIC Setup Interface and the NIC tunable parameters (properties) are proprietary to the specific network adapter most of the basic tunable parameters may be common to other brands/models.

7.1 Intel PRO/100+ PCI Fast Ethernet network adapter.

Under ControlPanel->Network->Adapter Properties->Advanced:

1. Adaptive Performance Tuning set to Maximal Adapter Bandwidth
2. Receive Buffers = 256
3. Transmit Control Blocks =  64
4. Coalesce Buffers = 16

The actual performance effect of these tunables depends on many factors such as traffic type, packet sizes, etc, so it is advised, if such opportunity exists, to experiment with the values for the maximal performance gain. Otherwise use values listed here.

III. FireWall-1 Performance Tuning
This section describes different changes to the VPN-1 environment that can affect various aspects of firewall performance.
Unless specifically mentioned, the techniques and methods described here equally apply to versions 4.0 and 4.1 (incl. CP2000) of the VPN-1.
1. Expanding the VPN-1 memory pool - by far the most important and frequently used tunable parameter.

Many important VPN-1 performance characteristics directly or indirectly depend on the amount of memory available to VPN-1 - number of concurrent connections VPN-1 is able to sustain, number of concurrent encrypted tunnels, etc.

By default VPN-1 allocates 3 MB (Nokia - 5MB) memory for it's use. Every simple connection (not authenticated, not encrypted, etc) requires about 70 bytes of memory. Encrypted (ISAKMP) traffic requires 3 Kbytes per encrypted tunnel. Based on these values, it is possible to calculate an amount of memory VPN-1 will need to support any number of concurrent connections or encrypted tunnels.

As our tests show, a good rule of thumb number for busy firewall memory allocation parameter is 16MB.
For Solaris
In /etc/system

set fw:fwhmem = 0x1000000
For Windows NT
In the registry

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FW1\Parameters
\Memory = 16000000
For Nokia (VPN-1) Appliance

zap -s _fwhmem $FWDIR/boot/modules/fwmod.o 0x1000000

The zap utility can reportedly be downloaded from Nokia site: devsupport.iprg.nokia.com/resolutions/1261/zap

2. Adjusting the connection table parameters for maximal (desired) number of concurrent connections and faster connection table lookups.

Again, good rule of thumb is to increase the connection table limit to 50000 (default 25000). With that number of connections it is also important to increase the table hash size to 65536 (default 8192) for faster lookups. Insufficient connection table size leads to connections being dropped and serious performance degradation. Adequate hashing noticeably improves performance.

In $FWDIR/lib/table.def file, 'connections' value:

connections = ... limit 50000 hashsize 65536


3. Adjusting the NAT tables parameters (size and hashsize).

In environments with large (> 25000) number of concurrent connections with address translation increase the NAT tables size and hash size. Insufficient NAT tables size can lead to serious performance degradation.

In $FWDIR/conf/objects.C file, under under props: section:

:nat_limit (xxx)              - to xxx desired value, default 25000
:Nat_hashsize (yyy)        - to yyy desired value, power of 2 close to (or over) the table limit


4. Windows NT encryption performance tuning when handling massive (=> 15000) numbers of concurrent encrypted tunnels.

Especially relevant when working with HW accelerator.

Add the following registry values (type DWORD):

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FW1\Parameters
\PacketPoolSize = 3000
(default 1Kbytes)

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FW1\Parameters
\BufferPoolSize = 6000
(PacketPoolSize x 2, default 2Kbytes)

Yields significant performance improvement when working with large numbers of concurrent encrypted tunnels.


5. Minimizing the performance impact of Session Authentication for HTTP on VPN-1 - specific to version 3.0, irrelevant in later versions.

Session Authentication can cause up to 50% performance decrease in HTTP performance. The reason for that is the browser opening an HTTP connection for each item in the page, thus causing the authentication to be done for each item. Apart from using Standard HTTP User Authentication or Client Authentication it is possible to implement undocumented "Implicit Client Authentication" that will only cause Session Authentication for the first HTTP connection:

exit any user interface and edit the $FWDIR/conf/objects.C file. Add the following to the props: section:

:automatically_open_ca_rules (true)

add two rules

AllUsers@Any Any HTTP Client Auth
AllUsers@Any Any HTTP Session Auth

install security policy.


6. Proxy performance tuning for VPN-1 - applies to versions 4.1 and later.

Applicable to both transparent and pure proxy modes:

in $FWDIR/conf/objects.C, under props: section add value:

:http_buffer_size (16384)    (or 32768, default buffer size 4096)

According to our test results, causes up to 30% proxy throughput improvement.

75. Security servers performance on SMP systems

Make sure to run multiple instances of security servers on multiprocessor systems.

In case of HTTP proxy, for dual CPU system - in $FWDIR/conf/fwauthd.conf:

80    in.ahttpd    wait    -2


8. Chrysalis VPN Accelerator Card performance tuning.

Tuning the VPN Accelerator Card state machine parameters.

For Solaris
In /kernel/drv/luna.conf file

inline_tier_interrrupt = 0       
inline_smachine = 0                

(default 1)
(default 1)
For Windows NT

In the registry:1

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LunaVPN
\SINGLE_TIER_INTERRUPT = 0
(REG_DWORD)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LunaVPN
\INLINE_SMACHINE = 0
(REG_DWORD)

Changing these values on Solaris significantly improves the VPN IKE performance. On Windows NT these parameters are set to zero values by default.

 
IMPORTANT NOTICE - The information in this document is provided on the 'as is' basis. Performance recommedations contained herein can be followed at your own risk. Check Point bears no resposibility whatsoever for any damage resuling from following the recommendations contained in this document.   Many techniques mentioned  in this document require extensive administrative knowlege of the VPN-1 and the  underlying OS and should be implemented with caution. Nothing  in this document should be viewed as a committment by Check Point to release or maintain any product, version, feature or performance level at any time. The performance data  this document is based on was obtained in Check Point Performance Laboratory and may differ with the results obtained elsewhere.
 
SearchOPSECAbout UsServicesSalesPartnersProductsHome
Questions or Feedback? Please use this form