Performance Pack Administration Guide Version NGX R65 March 2007 TM © 2003-2007 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN- 1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications. For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS. Table of Contents 5 Contents Preface Who Should Use This Guide 8 Summary of Contents 9 Related Documentation 10 More Information 13 Feedback 14 Chapter 1 Introduction to Performance Pack Overview 16 Release Notes 17 Chapter 2 Getting Started Performance Pack NGX System Requirements 20 Minimum System Requirements 20 Recommended System Options 21 Performance Pack Recommended Platform Configuration 22 Preparing the Performance Pack NGX Machine 23 BIOS Settings 23 Network Interface Cards location 23 Installation 23 Chapter 3 Command Line fwaccel 26 cpconfig 27 sim 28 proc entries 29 Appendix 4 Performance Tuning and Measurement Hints Performance Tuning 32 SYN Defender 32 Amount of Concurrent Connections and Hash Size 32 Implied Rules 33 HyperThreading 33 Connection Templates 34 Delayed Synchronization 35 Performance Measurement 37 TCP State and Benchmarking 37 Index 45 6 7 Preface P Preface In This Chapter Who Should Use This Guide page 8 Summary of Contents page 9 Related Documentation page 10 More Information page 13 Feedback page 14 Who Should Use This Guide 8 Who Should Use This Guide This guide is intended for administrators responsible for maintaining network security within an enterprise, including policy management and user support. This guide assumes a basic understanding of • System administration. • The underlying operating system. • Internet protocols (IP, TCP, UDP etc.). Summary of Contents Preface 9 Summary of Contents This document describes how to install and configure Performance Pack. Additionally, it shows you how to get the best possible performance using Performance Pack Chapter Description Chapter 1, “Introduction to Performance Pack” Contains a general description of Performance Pack. Chapter 2, “Getting Started” Describes system requirements, recommended platforms and how to prepare for the NGX Machine. Chapter 3, “Command Line” Contains explanations of the Performance Pack commands. Chapter 4, “Performance Tuning and Measurement Hints” Describes Performance Pack Tuning and Measurement. Related Documentation 10 Related Documentation The NGX R65 release includes the following documentation TABLE P-1 VPN-1 Power documentation suite documentation Title Description Internet Security Product Suite Getting Started Guide Contains an overview of NGX R65 and step by step product installation and upgrade procedures. This document also provides information about What’s New, Licenses, Minimum hardware and software requirements, etc. Upgrade Guide Explains all available upgrade paths for Check Point products from VPN-1/FireWall-1 NG forward. This guide is specifically geared towards upgrading to NGX R65. SmartCenter Administration Guide Explains SmartCenter Management solutions. This guide provides solutions for control over configuring, managing, and monitoring security deployments at the perimeter, inside the network, at all user endpoints. Firewall and SmartDefense Administration Guide Describes how to control and secure network access; establish network connectivity; use SmartDefense to protect against network and application level attacks; use Web Intelligence to protect web servers and applications; the integrated web security capabilities; use Content Vectoring Protocol (CVP) applications for anti-virus protection, and URL Filtering (UFP) applications for limiting access to web sites; secure VoIP traffic. Virtual Private Networks Administration Guide This guide describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure. [...]... Release Notes for Performance Pack can be found at: http://www.checkpoint.com/support/technical/documents/index.html Chapter 1 Introduction to Performance Pack 17 Release Notes 18 Chapter Getting Started 2 In This Chapter Performance Pack NGX System Requirements page 20 Performance Pack Recommended Platform Configuration page 22 Preparing the Performance Pack NGX Machine page 23 19 Performance Pack NGX System... Chapter Introduction to Performance Pack In This Chapter Overview page 16 Release Notes page 17 15 Overview Overview Performance Pack is supported both for SecurePlatform and Solaris platforms Performance Pack is a software acceleration product installed as an add-on to VPN-1 Power Performance Pack significantly enhances and improves the performance of VPN-1 Power Performance Pack uses Check Point’s... the interfaces to which Performance Pack is attached statistics Displays general Performance Pack statistics Chapter 3 Command Line 29 proc entries 30 Chapter Performance Tuning and Measurement Hints 4 In This Appendix Performance Tuning page 32 Performance Measurement page 37 31 Performance Tuning Performance Tuning SYN Defender To obtain optimal TCP connection setup rate performance, verify that... 3650 • HP Proliant DL-380 G5 • Dell PowerEdge 1950 or PowerEdge 2950 Please refer to the latest Performance Pack release notes for additional information on hardware support, limitations and recommendations 22 Preparing the Performance Pack NGX Machine Preparing the Performance Pack NGX Machine For optimal performance, appropriate configuration settings are recommended for the following: • BIOS Settings... entries proc entries Performance Pack supports SecurePlatform proc entries These entries are used to display information about the Performance Pack The proc entries are read-only entries They cannot be configured The proc entries are located under /proc/ppk Usage cat /proc/ppk/[conf|ifs|statistics] Parameters Table 3-3 /proc Parameters Parameter Explanation conf Displays the Performance Pack Configuration... GigaSwift Bus Technology At least two 64bit/66Mhz PCI buses, ServerWorks or Intel E7500 Chipset Chapter 2 Getting Started 21 Performance Pack Recommended Platform Configuration Performance Pack Recommended Platform Configuration It is recommended you use Performance Pack on a platform configured with a Dual-Core Intel Xeon Processor 5160 (3.00 GHz, 333 MHz FSB, 2x2 MB L2 Cache), with 667 MHz RAM, or... page 20 Performance Pack Recommended Platform Configuration page 22 Preparing the Performance Pack NGX Machine page 23 19 Performance Pack NGX System Requirements Performance Pack NGX System Requirements Performance Pack accelerates the performance of VPN-1 Power on: • Hardware supported by SecurePlatform • Solaris 8, 9, or 10 for SPARC 64 Bit Following are the minimum recommended requirements: Minimum... Settings • If your BIOS supports CPU clock setting, make sure that the BIOS is set to the actual CPU speed • If you are running Performance Pack NGX R65 on a machine with Intel Xeon CPUs, consider setting the HyperThreading feature to “on” Using HyperThreading may improve performance for some scenarios Network Interface Cards location • If you are using a motherboard with multiple PCI or PCI-X buses,... sim utility controls various Performance Pack driver features and applies only for SecurePlatform Usage sim affinity [-a|-s|-l] Parameters Affinity is a general term for binding Network Interface Card (NIC) interrupts to processors By default, SecurePlatform does not set Affinity to the NIC interrupts, which means that each NIC is handled by all processors Optimal network performance is obtained when... run, this utility displays a screen with the configuration options The options that are displayed, depend on the installed configuration and product(s) You can use cpconfig to enable or disable Performance Pack Once you have selected an acceleration setting, the setting remains configured, until you choose to change it on another occasion In other words, the settings that you define will remain even . Machine page 23 Performance Pack NGX System Requirements 20 Performance Pack NGX System Requirements Performance Pack accelerates the performance of VPN-1. Chapter Performance Pack NGX System Requirements page 20 Performance Pack Recommended Platform Configuration page 22 Preparing the Performance Pack NGX