High Availability and Clustering • Chapter 6 289 ■ Use good fast networking cards—100Mbps Ethernet full duplex or gigabit Ethernet cards—in the cluster members. Make sure that surrounding hubs and routers from the origin of the data through to the destination of the data have fast physical networking hardware.These are the key areas that will give you high throughput. ■ Use fast single-processor members in the cluster, with lots of memory. ■ Use a load-sharing cluster as opposed to an HA cluster.Traffic can be shared across the members in the cluster, which will give higher data rates of throughput. ■ Keep your Rule Base short and compact. Larger numbers of rules will slow throughput.This applies to NAT rules and the security Rule Base. You need good networking cards, and your hubs and routers—all the way from data source through the cluster to the data destination—need to be as good as you can get.This will define your maximum throughput, and it is this line speed that you will aim for. Using fast single-processor members and plenty of memory is good practice. It enables the member in the cluster to deal with highly processor-intensive services, such as VPN connections, as quickly as possible. Different members in the load-sharing cluster will take different VPN connections between the cluster and the remote sites, so this means that one member will not be dealing with all the VPN traffic. If you just have one VPN set up between the cluster and the remote site, only one member in the cluster will take the load. If you have several VPNs set up, multiple members in the cluster will be dealing with the VPN connections.This will be based on the load-sharing algorithm used. In addition, if you are using the security servers for passing traffic, such as FTP, HTTP, or Telnet, this is load shared across the cluster as well and will also give you efficiencies because it can also be CPU intensive. If you are using security servers, make sure that the DNS resolver on each member of the cluster is pointing at a high-speed DNS server or servers (which preferably have a very rich cache) so that DNS lookups do not hold up the performance. Lots of memory will prevent your host from writing too much to the swap memory area, although some operating systems use their swap space regardless of how much phys- ical memory you install. If you are going for high throughput, you have to use a load-sharing clustering solu- tion.This gives you scalability and allows big benefits for VPNs and security server con- nections. It gives big benefits for normal connections as well. You can do many things with Rule Base tuning that will make a big difference to increasing the throughput of a member.Tuning the Rule Base will also give you some major connections-based performance as well.The types of things you need to do to a Rule Base to make it more efficient are as follows: www.syngress.com 259_ChkPt_VPN_06.qxd 4/4/03 10:40 AM Page 289 290 Chapter 6 • High Availability and Clustering ■ Reduce the number of rules to a minimum. ■ Try not to have rules that are sourced with group objects, destination group objects, because this will multiply out into individual rules when the policy is compiled. Instead, use network objects subnetted appropriately. ■ Do not use group objects nested inside one another. Again, this causes the compiled Rule Base to have a large number of rules in it. ■ Reduce the number of NAT rules to a minimum. ■ Reduce the number of objects you reference in the Rule Base. ■ Don’t use resource rules or user authentication unless you need to.The throughput of the security servers is not as fast as a straight stateful connection through the FireWall-1 kernel. ■ Place the most commonly accessed rules as close to the top of the Rule Base as you can get away with. ■ Avoid using domain objects. ■ Keep logging to a minimum on rules. Tuning VPNs for throughput is a special case.You can always increase the overall performance of a VPN by making the member do less work to encrypt and decrypt packets, but this is usually at the price of security. For example, using weaker encryption strengths will reduce the security of encrypted packets, but it will mean that the firewall members have to do less work. Using perfect forwarding secrecy also causes a signifi- cant performance overhead, but changing this setting will reduce security. If no compromise of security versus throughput is possible, you have two other options open to you. One is to use the Check Point Performance Pack, which will give you VPN acceleration.The other possibility is to use a hardware accelerator in each member of the cluster, which will aid DES and 3DES calculations for VPNs. To summarize, anything that you can do on a single firewall member to improve performance is also true of a FireWall-1 member in a clustered environment. Improving for Large Number of Connections In many ways, improving for a large number of connections requires more thought than tweaking your cluster for maximum data throughput because it is less dependent on hardware.The first thing you need to be aware of that will reduce the performance of a cluster as far as a large number of connections is concerned is the rate of change of new connections. If this is very high, these particular types of connections are good candidates for not being synchronized between cluster members. On clusters, you need www.syngress.com 259_ChkPt_VPN_06.qxd 4/4/03 10:40 AM Page 290 High Availability and Clustering • Chapter 6 291 to reduce the number of connections in the connections state table, and you also need to reduce the number of connections that are synchronized statefully. For example, DNS lookups through a member will be done often.These are small packets, which are often responded to very quickly, and most DNS resolvers are quite patient about waiting for a response. Many DNS lookups are done, especially by any HTTP clients, FTP clients, and the FireWall-1 management server itself if logging has been told to resolve hostnames. DNS is a classic service for which you would turn off state table sync. It is a very transient UDP-based service, so synchronizing the state makes little sense. By default, the service is synchronized across the cluster members. To do this, start the SmartDashboard GUI, log in, click Manage | Services, and select the service domain-udp, as shown in Figure 6.88. Click the Edit button, then click the Advanced button. Uncheck the Synchronize on cluster check box, and then click OK and install the policy. There are a large number of services to which you might want to do this.The more you reduce the state synchronization required, the better your members in your cluster will perform for connections. The other weapon you have for reducing the number of connections in the state table is reducing the virtual session timeout for each service.This especially applies to UDP services, but it can also apply to many TCP-based services, such as HTTP. Most HTTP sessions are short and transient, so unless you are hosting a Web site where it is vital that each HTTP session opened is longer than 3600 seconds (or 1 hour), it is a good idea to reduce this in the service itself.This means that if the session did not finish normally, the timeout will clear more quickly than the default of 1 hour. You can do this by clicking Virtual Session Timeout in the Advanced area of each service definition, as shown in Figure 6.89. Once you have done as much as you can do to reduce the number of connections that each member will have and you have reduced the number of connections that will be synchronized across the cluster, you need to tune each member in the cluster to www.syngress.com Figure 6.88 Turning Off State Synchronization for a Specific Service 259_ChkPt_VPN_06.qxd 4/4/03 10:40 AM Page 291 292 Chapter 6 • High Availability and Clustering accept more than 25,000 connections and tune the kernel memory and NAT table sizes as well to cater for the increase in connections. This process used to be a manual process of hacking text files previous to FireWall- 1 NG FP3, but now it can all be done from the SmartDashboard GUI. Navigate to the Manage menu, choose Network Objects, then locate the Cluster Gateway Object of your cluster, and click Edit. On the left side of the popup window, select Capacity Optimization. From Figure 6.90, you can see that you can modify all the parameters mentioned earlier.The automatic setting for memory pool size and connection hash table size is usually fine, but you might want to monitor these parameters (which we discuss next). If you need to manually tweak the hash table size and the memory pool size, you can also do this from this screen. Note that after policy install, the size of the connections table changes will take effect. www.syngress.com Figure 6.89 Advanced Settings of the DNS UDP Service Figure 6.90 Configuring Capacity Optimization of Your Cluster 259_ChkPt_VPN_06.qxd 4/4/03 10:40 AM Page 292 High Availability and Clustering • Chapter 6 293 You’ll want to monitor the connections table sizes, the memory pool size, and the table hash sizes. How can you do this? The best way is to get a console connection to one of your modules and run the diagnostic commands to reveal this information. Monitoring the Connections Table The first thing you will want to do is examine the connections table of a module to determine the current maximum limit for number of connections.This can be done with the fw tab –t connections command from one of the firewall modules in the cluster. At the top of this command’s output are the parameters of this table, which you need to take note of—including the maximum number of connections parameter. connections dynamic, id 8158, attributes: keep, sync, expires 60, refresh, limit 25000, hashsize 32768, kbuf 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30, free function 707138a0 0 Altering the number of connections up to 50,000 and then running the command will show the new table size for connections and a new hash value: connections dynamic, id 8158, attributes: keep, sync, expires 60, refresh, limit 50000, hashsize 262144, kbuf 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30, free function 707138a0 0 Note that when you change the connections size, you will also see that the SmartView Tracker logs show that connections table has changed, the connections table hash has changed, and the memory pool size has been changed. If you want to monitor the number of connections going through a member at any one time, use the command fw tab –t connections –s. This will give you statistics of the current number of connections in the table (#VALS column) and the peak number of connections (#PEAK column): fw1 # fw tab -t connections -s HOST NAME ID #VALS #PEAK #SLINKS localhost connections 8158 5 20 8 You could get to the stage where you would like to identify a specific connection on a module and check that you can see that connection synchronized to another module in the cluster.To look at the connections table to make sure that it makes sense, use the command fw tab –t connections –f: 10:49:12 192.168.11.131 > (+); Direction: 0; Source: 192.168.1.100; SPort: 4990; Dest: 192.168.1. www.syngress.com 259_ChkPt_VPN_06.qxd 4/4/03 10:40 AM Page 293 294 Chapter 6 • High Availability and Clustering 130; DPort: telnet; Protocol: tcp; CPTFMT_sep: ;; Type: 114689; Flags: 8405120; Rule: 2; Timeout: 3600; Handler: 0; Uuid: 3e37b13c0c3a610837b6; Ifncin: 4; Ifncout: 4; Ifnsin: -1; Ifnsout: -1; Bits: 0000000002000000; NAT_VM_Dest: 192.168.1.131; NAT_VM_Flags: 100; NAT_Client_Dest: 192.168.1 .130; NAT_Client_Flags: 100; NAT_Server_Flags: 0; NAT_Xlate_Flags: 32836; SeqVerifier_Kbuf_ID: 1076676608; Expires: 3495/3600; product: VPN-1 & FireWall-1; 10:49:12 192.168.11.131 > (+); Direction: 1; Source: 192.168.1.131; SPort: telnet; Dest: 192.168.1. 100; DPort: 4990; Protocol: tcp; CPTFMT_sep_1: ->; Direction_1: 0; Source_1: 192.168.1.100; SPort_1: 4990; Dest_1: 192.168.1.130; DPort_1: telnet; Protocol_1: tcp; FW_symval: 5; product: VPN-1 & FireWall-1; Normally , the fw tab –t connections –f command would show all connections, but you can filter it down by piping into the grep command (such as fw tab –t connections –f | grep telnet, which was done in the preceding example). The connection we are interested in is the connection which has an Expires: parameter.This shows the TCP timeout of the connection and so is a good method to prove that your changes to a services virtual session timeout is working (see Figure 6.86).The other connection we can see is present for the reply from the cluster IP address (as the session initiated was a Telnet from host 192.168.1.100 to the VIP address of 192.168.1.130). The Telnet service is state synchronized, so we should see exactly the same connec- tion in the connections table of fw2 in the cluster. State table synchronizes an update at least every 100ms to all members in the cluster. Monitoring Pool Memory Pool memory is fairly easy to monitor in FireWall-1 NG FP3.You need to make sure that kernel memory for the firewall kernel is not exhausted, or else you could end up with halloc memory allocation error messages in the system logs of your operating system.This can lead to the host becoming unresponsive and intermittently locking up—including locking up console access to the member. You can monitor the kernel memory situation using the command fw ctl pstat on the firewall module: fw2 #fw ctl pstat Hash kernel memory (hmem) statistics: Total memory allocated: 20971520 bytes in 5118 4KB blocks using 2 pools www.syngress.com 259_ChkPt_VPN_06.qxd 4/4/03 10:40 AM Page 294 High Availability and Clustering • Chapter 6 295 Initial memory allocated: 6291456 bytes (Hash memory extended by 14680064 bytes) Memory allocation limit: 83886080 bytes using 10 pools Total memory bytes used: 348308 unused: 20623212 (98.34%) peak: 369584 Total memory blocks used: 114 unused: 5004 (97%) peak: 126 Allocations: 71973 alloc, 0 failed alloc, 66671 free System kernel memory (smem) statistics: System physical memory: 255074304 bytes Available physical memory: 59908096 bytes Total memory bytes used: 31724112 peak: 31869120 Blocking memory bytes used: 1531912 peak: 1636904 Non-Blocking memory bytes used: 30192200 peak: 30232216 Allocations: 3645229 alloc, 0 failed alloc, 3644952 free, 0 failed free Kernel memory (kmem) statistics: Total memory bytes used: 11088212 peak: 11826720 Allocations: 81792 alloc, 0 failed alloc, 76215 free, 0 failed free Kernel stacks: 262144 bytes total, 16384 bytes stack size, 16 stacks, 2 peak used, 4124 max stack bytes used, 1028 min stack bytes used, 0 failed stack calls INSPECT: 13746 packets, 2698521 operations, 43174 lookups, 0 record, 702731 extract Cookies: 2309961 total, 0 alloc, 0 free, 21 dup, 863658 get, 1243 put, 1458553 len, 0 cached len, 0 chain alloc, 0 chain free Connections: www.syngress.com 259_ChkPt_VPN_06.qxd 4/4/03 10:40 AM Page 295 296 Chapter 6 • High Availability and Clustering 4019 total, 436 TCP, 3381 UDP, 201 ICMP, 1 other, 5 anticipated, 7 recovered, 10 concurrent, 26 peak concurrent, 861843 lookups Fragments: 0 fragments, 0 packets, 0 expired, 0 short, 0 large, 0 duplicates, 0 failures NAT: 215/0 forw, 1021/0 bckw, 1214 tcpudp, 22 icmp, 1268-1410 alloc sync new ver working sync out: on sync in: on sync packets sent: total: 9302 retransmitted: 0 retrans reqs: 0 acks: 49 sync packets received: total 4911 of which 0 queued and 0 dropped by net also received 0 retrans reqs and 38 acks to 17 cb requests callback average delay 1 max delay 6 The area for kernel memory you should keep an eye on is the total memory bytes used, unused, and the peak usage.The peak usage will tell you whether in the past there has not been enough kernel memory.You will get some statistical count in the failed alloc field of hash kernel memory and system kernel memory if there is a memory allocation problem for connection load. The output of this command also gives you connections statistics, fragmented packets stats, and NAT stats. It provides the state synchronization statistics as well. Final Tweaks to Get the Last Drop of Performance We have by no means covered everything you can do to the members in your cluster to maximize their performance. One particular area of note is optimizing the operating system that the members use.This varies considerably from one operating system to another in terms of the types and extent to which you can do this, but it is thoroughly worth doing. www.syngress.com 259_ChkPt_VPN_06.qxd 4/4/03 10:40 AM Page 296 High Availability and Clustering • Chapter 6 297 Summary Most of the hard work and decision making you’ll encounter will be at the design stage. Are you using existing modules to upgrade to NG FP3, what platforms are the modules on, and what hubs and switches do you have available are all questions you will have to consider. Many of these issues are based on the type of clustering solution you choose. In a nutshell, the pertinent points of each clustering solution are as follows: ■ ClusterXL in HA New mode High availability with monitoring of system, cluster, and network state, integrated with FireWall-1. Unicast MAC addresses are used for the VIP address on each subnet. Can be fully managed from SmartView status GUI. SmartCenter Server (management station) can be located on the secured network or elsewhere. Interfaces of the members in the cluster also have real IP addresses as well as the VIP address. ■ ClusterXL in HA Legacy mode High availability with monitoring of system, cluster, and network state, integrated with FireWall-1. Included for compatibility with older FireWall-1 versions, limited by technology that leaves standby nodes unreachable except from management network. Can be fully managed from SmartView Status GUI, depending on failover conditions and location of GUI client on network. Unicast MAC for the VIP address, which is shared across the cluster, as is the MAC address for a particular subnet. SmartCenter Server must be located on the secured network and should have a second interface onto an Internet-routable IP address if managing other FireWall-1 enforcement points outside of the local network. Interfaces of the members in the legacy cluster do not have unique IP addresses or MAC addresses, apart from the secured network. ■ ClusterXL in Load-Sharing mode Load sharing with monitoring of system, cluster, and network state, integrated with FireWall-1. Can be fully managed from SmartView Status GUI. Multicast MAC address responses for an ARP of the VIP (which is not a multicast IP address).This means each member in the cluster has the same MAC and VIP across the cluster for a par- ticular subnet.The SmartCenter Server can be located on the secured network or elsewhere. Interfaces of the members in the cluster also have real IP addresses as well as the VIP address. ■ Nokia Load Sharing cluster Load sharing with monitoring of system, cluster, and network state, limited integration with FireWall-1. Can be partially managed by SmartView Status GUI but also must use Voyager to find the status of the cluster. Multicast MAC address responses for an ARP of the VIP (which is not a multicast IP address).This means each member in the cluster www.syngress.com 259_ChkPt_VPN_06.qxd 4/4/03 10:40 AM Page 297 298 Chapter 6 • High Availability and Clustering has the same MAC and VIP across the cluster for a particular subnet.The SmartCenter Server can be located on the secured network or elsewhere. Interfaces of the members in the cluster also have real IP addresses as well as the VIP address.The solution requires no license since it is part of the IPSO operating system. ■ Nokia VRRP cluster Simple configuration but limited management. No monitoring of system or cluster state other than network interfaces. Unicast shared MAC for the VIP address, which is shared across the cluster.The SmartCenter Server can be located on the secured network or elsewhere. Interfaces of the members in the cluster also have real IP addresses as well as the VIP address.The solution requires no license since it is part of the IPSO operating system. After you initially configure the cluster, make sure that you have the clustering solution working as you would expect before configuring a complex firewall Rule Base.The key here is to keep testing the functions of the cluster failover after each sig- nificant change to ensure that you have not done something to compromise the func- tionality of your cluster. Once your cluster is configured and working and you have your security policy in place, take careful note of the configuration of your cluster and its members—and the settings of all the networking equipment on the same subnet as the VIP addresses of the cluster.This includes settings on routers, switches, and hosts.Taking note of these set- tings will be very useful if you ever need to troubleshoot the cluster. Sometimes config- uration of adjacent devices has a habit of changing without advance warning to the firewall administrator. The final step is to tune your cluster. Go through the procedure of examining your connections table to determine which services are most common in your connections table, and determine if you need to synchronize that service across the cluster. Is the service very transient? If so, it’s a good candidate for switching off state table synchro- nization. Can you reduce the TCP or UDP timeout for a particular service? Additionally, make sure you increase the number of connections that your cluster will be able to handle and the kernel and hash allocation. Solutions Fast Track Designing Your Cluster ; Consider carefully the two things that a cluster will give you: resilience and increased capacity. If you are going for resilience, this can determine the type www.syngress.com 259_ChkPt_VPN_06.qxd 4/4/03 10:40 AM Page 298 [...]... here, we strongly suggest that you make interface and routing changes using one of the Check Point- provided methods (sysconfig or the WebUI) and not directly: Choose eth0 item to configure: www.syngress.com 259_chkpt _VPN_ 07.qxd 3 16 4/2/03 4 :18 PM Page 3 16 Chapter 7 • SecurePlatform 1) Set interface network addresses 2) Add VLAN interface 4) Mark it as having dynamic IP... address www.syngress.com 259_ChkPt _VPN_ 06. qxd 4/4/03 10 :40 AM Page 303 High Availability and Clustering • Chapter 6 Q: When using Nokia VRRP or IPSO Clustering, why shouldn’t I define the "Topology" in the FireWall -1 Gateway Cluster object ? A: The result of doing so is that connections originating from cluster members are hidden behind these cluster interfaces When connecting from the standby member,... 4) Arctic Ocean 5) Asia 6) Atlantic Ocean 7) Australia 8) Europe 9) Indian Ocean 10 ) Pacific Ocean 11 ) none - I want to specify the time zone using the Posix TZ format 12 ) cancel - I want to quit without changing the time zone #? 2 Select a country 1) Anguilla 2) Antigua & Barbuda 18 ) Ecuador 19 ) El Salvador 35) Paraguay 36) Peru 3) Argentina 20) French Guiana 4) Aruba 21) Greenland 38) St Kitts & Nevis... SecurePlatform I FireWall -1 Performance Counters Summary Solutions Fast Track Frequently Asked Questions 305 259_chkpt _VPN_ 07.qxd 3 06 4/2/03 4 :18 PM Page 3 06 Chapter 7 • SecurePlatform Introduction Check Point has produced an operating system for use on x 86 hardware to run its products.This purpose-built operating system is specifically hardened for network security purposes and tuned to operate Check Point Next... click Finish, as shown in Figure 7 .11 , the system applies all the settings, sets up the firewall, and initializes the internal CA It will also bring up the initial firewall policy In most cases, this would lock you out of accessing the WebUI as well as ssh and ping However, Check Point took this into account and allows you connect to the system via https, ssh, and the Check Point SMART Clients from the GUI... switching infrastructure.The www.syngress.com 3 01 259_ChkPt _VPN_ 06. qxd 302 4/4/03 10 :40 AM Page 302 Chapter 6 • High Availability and Clustering reason for this is that Check Point cluster control and state sync traffic uses a fixed MAC address scheme that will result in duplicate MAC addresses on switch ports Future releases of NG may resolve this issue; in the meantime, solutions should rely on changes... each member Check correct operation using the VRRP Monitor Test a policy install again Configure NAT if required.Test cluster failover www.syngress.com 259_ChkPt _VPN_ 06. qxd 4/4/03 10 :40 AM Page 3 01 High Availability and Clustering • Chapter 6 Clustering and HA Performance Tuning Determine the services that are used through your cluster Use firewall logs or the fw tab –t connections –f command Make a decision... 259_chkpt _VPN_ 07.qxd 320 4/2/03 4 :18 PM Page 320 Chapter 7 • SecurePlatform 6) Eastern Standard Time - Indiana - Crawford County 7) Eastern Standard Time - Indiana - Starke County 8) Eastern Standard Time - Indiana - Switzerland County 9) Central Time 10 ) Central Time - Michigan - Wisconsin border 11 ) Mountain Time 12 ) Mountain Time - south Idaho & east Oregon 13 ) Mountain Time - Navajo 14 ) Mountain Standard... Lucia 6) Barbados 23) Guadeloupe 40) St Pierre & Miquelon 7) Belize 24) Guatemala 41) St Vincent 8) Bolivia 25) Guyana 42) Suriname 9) Brazil 26) Haiti 43) Trinidad & Tobago 27) Honduras 44) Turks & Caicos Is 10 ) Canada 11 ) Cayman Islands 28) Jamaica 37) Puerto Rico 45) United States 12 ) Chile 29) Martinique 46) Uruguay 13 ) Colombia 30) Mexico 47) Venezuela 14 ) Costa Rica 31) Montserrat 48) Virgin Islands... eth0 ip: 19 2 . 16 8.0.3, broadcast: 19 2 . 16 8.0.255, netmask: 255.255.255.0 eth1 is not configured eth2 is not configured Configuring Routing Once we have configured all our interfaces, we need to configure the routing.This is option 2 from the first menu: Choose a routing configuration item: -1) Add new network route 4) Delete route 2) Add new host route 5) Show routing configuration . 328 36; SeqVerifier_Kbuf_ID: 10 766 766 08; Expires: 3495/ 360 0; product: VPN- 1 & FireWall -1; 10 :49 :12 19 2 . 16 8 .11 .13 1 > (+); Direction: 1; Source: 19 2 . 16 8 .1. 1 31; SPort: telnet; Dest: 19 2 . 16 8 .1. 10 0; DPort:. connections –f: 10 :49 :12 19 2 . 16 8 .11 .13 1 > (+); Direction: 0; Source: 19 2 . 16 8 .1. 100; SPort: 4990; Dest: 19 2 . 16 8 .1. www.syngress.com 259_ChkPt _VPN_ 06. qxd 4/4/03 10 :40 AM Page 293 294 Chapter 6 • High. CPTFMT_sep _1: ->; Direction _1: 0; Source _1: 19 2 . 16 8 .1. 100; SPort _1: 4990; Dest _1: 19 2 . 16 8 .1. 130; DPort _1: telnet; Protocol _1: tcp; FW_symval: 5; product: VPN- 1 & FireWall -1; Normally