Presentation is loading. Please wait.

Presentation is loading. Please wait.

[Unrestricted]For everyone ©2009 Check Point Software Technologies Ltd. All rights reserved. Skalowanie wydajności, konfiguracje ClusterXL, SecureXL i.

Similar presentations


Presentation on theme: "[Unrestricted]For everyone ©2009 Check Point Software Technologies Ltd. All rights reserved. Skalowanie wydajności, konfiguracje ClusterXL, SecureXL i."— Presentation transcript:

1 [Unrestricted]For everyone ©2009 Check Point Software Technologies Ltd. All rights reserved. Skalowanie wydajności, konfiguracje ClusterXL, SecureXL i CoreXL J. Prokop Check Point

2 2 [Unrestricted]For everyone ©2009 Check Point Software Technologies Ltd. All rights reserved. Skalowanie wydajności oprogramowania Trzy produkty kategorii XL: ClusterXL: łączenie urządzeń w klastry –ClusterXL LS for VPN-1 and Connectra –ClusterXL VSLS for VSX VSLS –Nokia IP Clustering, Crossbeam X80 itp SecureXL (Accelerated Path) –Hardware: ( Nokia) ADP –Software: »Performance Pack (SecurePlatform, Crossbeam XOS) »IPSO SecureXL implementation (fastpath, SecureXL) CoreXL: wielordzeniowa implementacja Firewall Path / Middle Path

3 3 [Unrestricted]For everyone ©2009 Check Point Software Technologies Ltd. All rights reserved. Cluster XL Cele klastrowania urzadzeń: Zwiększenie niezawodności Zwiększenie wydajności

4 4 [Unrestricted]For everyone ©2009 Check Point Software Technologies Ltd. All rights reserved. Cluster XL Problemy rozwiązywane przy klastrowaniu: -Sieć (adresy MAC, IP) -Synchronizacja (asynchroniczny routing pakietów, krótkotrwałe sesje, sposoby dzielenia sesji między węzłami)

5 5 [Unrestricted]For everyone ©2009 Check Point Software Technologies Ltd. All rights reserved. Cluster XL z ograniczoną liczbą adresów IP

6 6 [Unrestricted]For everyone ©2009 Check Point Software Technologies Ltd. All rights reserved. Performance Pack Secure Dispatcher Core #0 Core #4 Medium Path FW Path Queue Accelerated Path (brak wzorca – template) Performance Pack Secure Dispatcher Core #1 eth0eth1 Core #... Medium Path FW Path Queue Core #... Medium Path FW Path Queue Syn SynAck + subsequent S2C packets Subsequent C2S packets

7 7 [Unrestricted]For everyone ©2009 Check Point Software Technologies Ltd. All rights reserved. Performance Pack Secure Dispatcher Core #0 Core #4 Medium Path FW Path Queue Accelerated Path (ze wzorcem – template) Performance Pack Secure Dispatcher Core #1 eth0eth1 Core #... Medium Path FW Path Queue Core #... Medium Path FW Path Queue Syn + subsequent C2S packets SynAck + subsequent S2C packets

8 8 [Unrestricted]For everyone ©2009 Check Point Software Technologies Ltd. All rights reserved. Performance Pack Secure Dispatcher Core #0 Core #4 Medium Path FW Path Queue Medium Path – IPS Traffic Performance Pack Secure Dispatcher Core #1 eth0eth1 Core #... Medium Path FW Path Queue Core #... Medium Path FW Path Queue Syn + subsequent C2S packets SynAck + subsequent S2C packets

9 9 [Unrestricted]For everyone ©2009 Check Point Software Technologies Ltd. All rights reserved. Monitorowanie CoreXL Funkcja hash rozdzielająca sesje pomiędzy instancjami (rdzeniami): Source IP address Destination IP address Destination TCP/UDP port IP protocol number VoIP i IPSec : zawsze na instancji 0 ! Nie ma tu portu źródłowego: konserwatywna, słabo rozrzucająca funkcja Jeżeli grupa klientów pracuje za translatorem adresów na pojedynczym serwerze to wszyscy będą przetwarzani na tym samym rdzeniu.

10 10 [Unrestricted]For everyone ©2009 Check Point Software Technologies Ltd. All rights reserved. Monitorowanie ścieżek pakietów: accelerated / firewall / medium # fwaccel stat SXL on/off Templates enabled? Disabled after rule # X ? # fwaccel stats Firewall path: F2F Accelerated path: accel Medium path: PXL (* dopiero od wersji R70 *) # fwaccel conns C2S, S2C: client2server, server2client flaga F : firewall, connection not accelerated # fwaccel templates

11 11 [Unrestricted]For everyone ©2009 Check Point Software Technologies Ltd. All rights reserved. # fwaccel stats fwaccel stats Name Value conns created 7136 conns deleted 5969 temporary conns 0 templates 10 nat conns 0 accel packets accel bytes F2F packets ESP enc pkts 0 ESP enc err 0 ESP dec pkts 0 ESP dec err 0 ESP other err 0 espudp enc pkts 0 espudp enc err 0 espudp dec pkts 0 espudp dec err 0 espudp other err 0 AH enc pkts 0 AH enc err 0 AH dec pkts 0 AH dec err 0 AH other err 0 memory used 0 free memory 0 acct update interval 3600 current total conns 22 TCP violations 8 conns from templates TCP conns 12 delayed TCP conns 0 non TCP conns 10 delayed nonTCP conns 0 F2F conns 2 F2F bytes crypt conns 0 enc bytes 0 dec bytes 0 partial conns 0 anticipated conns 0 dropped packets dropped bytes nat templates 0 port alloc templates 0 conns from nat tmpl 0 port alloc conns 0 port alloc f2f 0 PXL templates 5 PXL conns 5 PXL packets 126 PXL bytes PXL async packets 126 FW path

12 12 [Unrestricted]For everyone ©2009 Check Point Software Technologies Ltd. All rights reserved. # fwaccel stats fwaccel stats Name Value conns created 7136 conns deleted 5969 temporary conns 0 templates 10 nat conns 0 accel packets accel bytes F2F packets ESP enc pkts 0 ESP enc err 0 ESP dec pkts 0 ESP dec err 0 ESP other err 0 espudp enc pkts 0 espudp enc err 0 espudp dec pkts 0 espudp dec err 0 espudp other err 0 AH enc pkts 0 AH enc err 0 AH dec pkts 0 AH dec err 0 AH other err 0 memory used 0 free memory 0 acct update interval 3600 current total conns 22 TCP violations 8 conns from templates TCP conns 12 delayed TCP conns 0 non TCP conns 10 delayed nonTCP conns 0 F2F conns 2 F2F bytes crypt conns 0 enc bytes 0 dec bytes 0 partial conns 0 anticipated conns 0 dropped packets dropped bytes nat templates 0 port alloc templates 0 conns from nat tmpl 0 port alloc conns 0 port alloc f2f 0 PXL templates 5 PXL conns 5 PXL packets 126 PXL bytes PXL async packets 126 Accelerated path (SecureXL)

13 13 [Unrestricted]For everyone ©2009 Check Point Software Technologies Ltd. All rights reserved. # fwaccel stats fwaccel stats Name Value conns created 7136 conns deleted 5969 temporary conns 0 templates 10 nat conns 0 accel packets accel bytes F2F packets ESP enc pkts 0 ESP enc err 0 ESP dec pkts 0 ESP dec err 0 ESP other err 0 espudp enc pkts 0 espudp enc err 0 espudp dec pkts 0 espudp dec err 0 espudp other err 0 AH enc pkts 0 AH enc err 0 AH dec pkts 0 AH dec err 0 AH other err 0 memory used 0 free memory 0 acct update interval 3600 current total conns 22 TCP violations 8 conns from templates TCP conns 12 delayed TCP conns 0 non TCP conns 10 delayed nonTCP conns 0 F2F conns 2 F2F bytes crypt conns 0 enc bytes 0 dec bytes 0 partial conns 0 anticipated conns 0 dropped packets dropped bytes nat templates 0 port alloc templates 0 conns from nat tmpl 0 port alloc conns 0 port alloc f2f 0 PXL templates 5 PXL conns 5 PXL packets 126 PXL bytes PXL async packets 126 Medium path (IPS) Middle Path pojawia się w R70 do obsługi nowego IPS (nie ma tych statystyk w R65)

14 14 [Unrestricted]For everyone ©2009 Check Point Software Technologies Ltd. All rights reserved. Konfiguracja CoreXL/SecureXL: cpconfig [CP-R70]# cpconfig This program will let you re-configure your Check Point products configuration. Configuration Options: (1) Licenses and contracts (2) Administrator (3) GUI Clients (4) SNMP Extension (5) PKCS#11 Token (6) Random Pool (7) Certificate Authority (8) Certificate's Fingerprint (9) Disable Advanced Routing (10) Disable Check Point SecureXL (11) Configure Check Point CoreXL (12) Automatic start of Check Point Products (13) Exit Enter your choice (1-13) :

15 15 [Unrestricted]For everyone ©2009 Check Point Software Technologies Ltd. All rights reserved. Monitorowanie konfiguracji wielordzeniowej za pomocą top

16 16 [Unrestricted]For everyone ©2009 Check Point Software Technologies Ltd. All rights reserved. Które rdzenie obsługują interfejsy sieciowe (affinity) ? Affinity interfejsów sieciowych jest podzielone pomiędzy CPU na których działa SND (Secure Network Dispatcher)

17 17 [Unrestricted]For everyone ©2009 Check Point Software Technologies Ltd. All rights reserved. fwpprof : analiza #./fwpprof Data collection stopped after 0 minutes and 53 seconds. Analyzing results... Performance Statistics: CPU Component Average load Maximal load N/A 17% 20% 1 N/A 0% 2% 2 fw_5 21% 24% 3 fw_4 22% 25% 4 fw_3 22% 24% 5 fw_2 0% 2% 6 fw_1 8% 9% 7 fw_0 15% 17% Current core optimization grade: 62%

18 18 [Unrestricted]For everyone ©2009 Check Point Software Technologies Ltd. All rights reserved. Recommended configuration: CPU Component Network |-Sync |-Mgmt |-Lan |-Lan8 1 fw_6 2 fw_5 3 fw_4 4 fw_3 5 fw_2 6 fw_1 7 fw_ VPN and VoIP traffic percentage 0% Expected optimization grade following recommended changes: 68% Summary of recommendations: 1. Increase number of active instances from 6 to 7 fwpprof : zalecenia konfiguracyjne

19 19 [Unrestricted]For everyone ©2009 Check Point Software Technologies Ltd. All rights reserved. Podsumowanie i tematy ciekawych rozważań związanych z wydajnością CoreXL jest częścią każdej instalacji wielordzeniowej (nie wymaga dodatkowej licencji). CoreXL: –R65: przerwania (SPLAT kernel 2.4 / 2.6) –R70: przerwania, konfigurowalna liczba instancji, fwpprof, możliwość ignorowania procesorów

20 20 [Unrestricted]For everyone ©2009 Check Point Software Technologies Ltd. All rights reserved. Dziękuję za uwagę!


Download ppt "[Unrestricted]For everyone ©2009 Check Point Software Technologies Ltd. All rights reserved. Skalowanie wydajności, konfiguracje ClusterXL, SecureXL i."

Similar presentations


Ads by Google