Troubleshooting Performance Pack (Check Point)

Few areas of Performance Pack will need troubleshooting. Check Point has made Performance Pack a very simple product. It seamlessly improves the performance of Firewall-1/VPN-1, with very little configuration necessary.

If you do suspect Performance Pack is causing trouble, turn it off using fwaccel off, then see whether your issue remains.

That being said, there is one area of Performance Pack that deserves a closer look: Connection Templates. Connection Templates improve the setup and teardown rate of connections that differ only by source port. A typical example is a Web server: One client will initiate many connections to the server in the course of one session.These connections differ by source port only.

Connection Templates will be generated only for simple TCP or UDP connections. Connection Templates are subject to a few restrictions:

■ If SYN Defender is enabled, Connection Templates will only be created for UDP connections.

■ Connection Templates will never be created for:

■ NAT connections

■ VPN connections

■ Complex connections such as H.323, FTP or SQL

■ Connections involving a security server

Connection Templates will be disabled completely if the Rule Base contains a rule containing one of the following:


■ Service(s) with a source port range

■ A time object

■ Dynamic objects and/or Domain objects


■ Services of type "other" with a match expression

■ Services of type RPC/DCERPC/DCOM

If your Rule Base contains a rule with one or more of the preceding factors, you will receive console and log messages telling you that Connection Templates have been disabled and identifying the restricted rules. To enable Connection Templates, you will have to either rewrite or delete those rules. To merely disable them is not sufficient.

Summary

Performance Pack, also called SecureXL, is a software solution to accelerate CPU-intensive FireWall-1/VPN-1 operations, including but not limited to setup and tear-down of connections, encryption, authentication, accounting, and NAT. It is supported on Solaris and SecurePlatform, with support on Nokia IPSO planned in the near future. Performance Pack is an alternative to performance solutions found on other FireWall-1/VPN-1 platforms.

Care must be taken when working with the physical interfaces of the host platform; turn acceleration off before enabling, disabling, or changing an interface.

The ideal hardware platform for Performance Pack has multiple high-powered CPUs, multiple independent very fast I/O buses, and at least 1GB of memory. Lower-specification hardware will still benefit from Performance Pack but will not reach the 3Gbps+ throughput on high-end hardware that Check Point states.

Real-world throughput will be lower than the numbers quoted by Check Point, but by no means will they be low. Impressive throughput of well over 2Gbps TCP throughput and over 600Mbps encrypted VPN can be achieved.

Performance Pack can be installed with the Comprehensive Install package on Solaris and comes preinstalled by default on SecurePlatform. If so desired, it is possible to install Performance Pack as a separate package after initial system install.

Performance Pack is very easy to use, but its configuration options are limited.You can turn acceleration on and off, and you have some tools to optimize performance, particularly on multiprocessor systems. Session setup and teardown optimization through Connection Templates might require changes to your Rule Base to work.

Next post:

Previous post: