Presentation is loading. Please wait.

Presentation is loading. Please wait.

Skalowanie wydajności, konfiguracje ClusterXL, SecureXL i CoreXL

Published bySydney Coyle Modified over 10 years ago

Similar presentations

Presentation on theme: "Skalowanie wydajności, konfiguracje ClusterXL, SecureXL i CoreXL"— Presentation transcript:

1 Skalowanie wydajności, konfiguracje ClusterXL, SecureXL i CoreXL
J. Prokop Check Point

2 Skalowanie wydajności oprogramowania
Trzy produkty kategorii „XL”: ClusterXL: łączenie urządzeń w klastry ClusterXL LS for VPN-1 and Connectra ClusterXL VSLS for VSX VSLS Nokia IP Clustering, Crossbeam X80 itp SecureXL (Accelerated Path) Hardware: (Nokia) ADP Software: Performance Pack (SecurePlatform, Crossbeam XOS) IPSO SecureXL implementation („fastpath”, SecureXL) CoreXL: wielordzeniowa implementacja Firewall Path / Middle Path

3 Cluster XL Cele klastrowania urzadzeń: Zwiększenie niezawodności
Zwiększenie wydajności

4 Cluster XL Problemy rozwiązywane przy klastrowaniu:
Sieć (adresy MAC, IP) Synchronizacja (asynchroniczny routing pakietów, krótkotrwałe sesje, sposoby dzielenia sesji między węzłami)

5 Cluster XL z ograniczoną liczbą adresów IP

6 Accelerated Path (brak „wzorca” – template)
Core #... Medium Path FW Queue Core #4 Medium Path FW Queue Core #... Medium Path FW Queue Core #0 Core #1 Secure Dispatcher Secure Dispatcher Performance Pack Performance Pack eth0 eth1 Syn SynAck + subsequent S2C packets Subsequent C2S packets

7 Accelerated Path (ze „wzorcem” – template)
Core #... Medium Path FW Queue Core #4 Medium Path FW Queue Core #... Medium Path FW Queue Core #0 Core #1 Secure Dispatcher Secure Dispatcher Performance Pack Performance Pack eth0 eth1 Syn + subsequent C2S packets SynAck + subsequent S2C packets

8 Medium Path – IPS Traffic
Core #... Medium Path FW Queue Core #4 Medium Path FW Queue Core #... Medium Path FW Queue Core #0 Core #1 Secure Dispatcher Secure Dispatcher Performance Pack Performance Pack eth0 eth1 Syn + subsequent C2S packets SynAck + subsequent S2C packets

9 Monitorowanie CoreXL Funkcja hash rozdzielająca sesje pomiędzy instancjami (rdzeniami): Source IP address Destination IP address Destination TCP/UDP port IP protocol number VoIP i IPSec : zawsze na instancji „0” ! Nie ma tu portu źródłowego: konserwatywna, słabo rozrzucająca funkcja Jeżeli grupa klientów pracuje za translatorem adresów na pojedynczym serwerze to wszyscy będą przetwarzani na tym samym rdzeniu.

10 Monitorowanie ścieżek pakietów: accelerated / firewall / medium
# fwaccel stat SXL on/off Templates enabled? Disabled after rule # X ? # fwaccel stats Firewall path: F2F Accelerated path: accel Medium path: PXL (* dopiero od wersji R70 *) # fwaccel conns C2S, S2C: client2server, server2client flaga „F” : firewall, connection not accelerated # fwaccel templates

11 # fwaccel stats FW path [Expert@cpmodule]# fwaccel stats
Name Value Name Value conns created conns deleted temporary conns templates nat conns accel packets accel bytes F2F packets ESP enc pkts ESP enc err ESP dec pkts ESP dec err ESP other err espudp enc pkts espudp enc err espudp dec pkts espudp dec err espudp other err AH enc pkts AH enc err AH dec pkts AH dec err AH other err memory used free memory acct update interval current total conns TCP violations conns from templates TCP conns delayed TCP conns non TCP conns delayed nonTCP conns F2F conns F2F bytes crypt conns enc bytes dec bytes partial conns anticipated conns dropped packets dropped bytes nat templates port alloc templates conns from nat tmpl port alloc conns port alloc f2f PXL templates PXL conns PXL packets PXL bytes PXL async packets FW path

12 # fwaccel stats Accelerated path (SecureXL)
fwaccel stats Name Value Name Value conns created conns deleted temporary conns templates nat conns accel packets accel bytes F2F packets ESP enc pkts ESP enc err ESP dec pkts ESP dec err ESP other err espudp enc pkts espudp enc err espudp dec pkts espudp dec err espudp other err AH enc pkts AH enc err AH dec pkts AH dec err AH other err memory used free memory acct update interval current total conns TCP violations conns from templates TCP conns delayed TCP conns non TCP conns delayed nonTCP conns F2F conns F2F bytes crypt conns enc bytes dec bytes partial conns anticipated conns dropped packets dropped bytes nat templates port alloc templates conns from nat tmpl port alloc conns port alloc f2f PXL templates PXL conns PXL packets PXL bytes PXL async packets Accelerated path (SecureXL)

13 # fwaccel stats Medium path (IPS) Middle Path pojawia się
fwaccel stats Name Value Name Value conns created conns deleted temporary conns templates nat conns accel packets accel bytes F2F packets ESP enc pkts ESP enc err ESP dec pkts ESP dec err ESP other err espudp enc pkts espudp enc err espudp dec pkts espudp dec err espudp other err AH enc pkts AH enc err AH dec pkts AH dec err AH other err memory used free memory acct update interval current total conns TCP violations conns from templates TCP conns delayed TCP conns non TCP conns delayed nonTCP conns F2F conns F2F bytes crypt conns enc bytes dec bytes partial conns anticipated conns dropped packets dropped bytes nat templates port alloc templates conns from nat tmpl port alloc conns port alloc f2f PXL templates PXL conns PXL packets PXL bytes PXL async packets Middle Path pojawia się w R70 do obsługi nowego IPS (nie ma tych statystyk w R65) Medium path (IPS)

14 Konfiguracja CoreXL/SecureXL: cpconfig
[CP-R70]# cpconfig This program will let you re-configure your Check Point products configuration. Configuration Options: (1) Licenses and contracts (2) Administrator (3) GUI Clients (4) SNMP Extension (5) PKCS#11 Token (6) Random Pool (7) Certificate Authority (8) Certificate's Fingerprint (9) Disable Advanced Routing (10) Disable Check Point SecureXL (11) Configure Check Point CoreXL (12) Automatic start of Check Point Products (13) Exit Enter your choice (1-13) :

15 Monitorowanie konfiguracji wielordzeniowej za pomocą ” top ”

16 Które rdzenie obsługują interfejsy sieciowe (affinity) ?
Affinity interfejsów sieciowych jest podzielone pomiędzy CPU na których działa SND (Secure Network Dispatcher)

17 „ fwpprof ” : analiza # ./fwpprof
Data collection stopped after 0 minutes and 53 seconds. Analyzing results... Performance Statistics: CPU Component Average load Maximal load 0 N/A % % 1 N/A % % 2 fw_ % % 3 fw_ % % 4 fw_ % % 5 fw_ % % 6 fw_ % % 7 fw_ % % Current core optimization grade: 62%

18 „ fwpprof ” : zalecenia konfiguracyjne
Recommended configuration: CPU Component 0 Network |-Sync ...... |-Mgmt |-Lan1 |-Lan8 1 fw_6 2 fw_5 3 fw_4 4 fw_3 5 fw_2 6 fw_1 7 fw_0 VPN and VoIP traffic percentage 0% Expected optimization grade following recommended changes: 68% Summary of recommendations: 1. Increase number of active instances from 6 to 7

19 Podsumowanie i tematy ciekawych rozważań związanych z wydajnością
CoreXL jest częścią każdej instalacji wielordzeniowej (nie wymaga dodatkowej licencji). CoreXL: R65: przerwania (SPLAT kernel 2.4 / 2.6) R70: przerwania, konfigurowalna liczba instancji, fwpprof, możliwość ignorowania procesorów

20 Dziękuję za uwagę!

Download ppt "Skalowanie wydajności, konfiguracje ClusterXL, SecureXL i CoreXL"

Similar presentations

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…

You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…
Software Version: DSS ver up01

Software Version: DSS ver up01
Advanced Piloting Cruise Plot.

Advanced Piloting Cruise Plot.
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 5 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 5 Author: Julia Richards and R. Scott Hawley.
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.

1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.

By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
A New Method for Symmetric NAT Traversal in UDP and TCP

A New Method for Symmetric NAT Traversal in UDP and TCP
UNITED NATIONS Shipment Details Report – January 2006.

UNITED NATIONS Shipment Details Report – January 2006.
Business Transaction Management Software for Application Coordination 1 www.choreology.com Business Processes and Coordination.

Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
Improvement of TCP Packet Reassembly in Libnids

Improvement of TCP Packet Reassembly in Libnids
15.082 and 6.855J Cycle Canceling Algorithm. 2 A minimum cost flow problem 1 24 35 10, $4 20, $1 20, $2 25, $2 25, $5 20, $6 30, $7 25 0 0 0-25.

and 6.855J Cycle Canceling Algorithm. 2 A minimum cost flow problem , $4 20, $1 20, $2 25, $2 25, $5 20, $6 30, $
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Title Subtitle.

Title Subtitle.
Determine Eligibility Chapter 4. Determine Eligibility 4-2 Objectives Search for Customer on database Enter application signed date and eligibility determination.

Determine Eligibility Chapter 4. Determine Eligibility 4-2 Objectives Search for Customer on database Enter application signed date and eligibility determination.
My Alphabet Book abcdefghijklm nopqrstuvwxyz.

My Alphabet Book abcdefghijklm nopqrstuvwxyz.
Multiplying binomials You will have 20 seconds to answer each of the following multiplication problems. If you get hung up, go to the next problem when.

Multiplying binomials You will have 20 seconds to answer each of the following multiplication problems. If you get hung up, go to the next problem when.
0 - 0.

0 - 0.

Similar presentations

Ads by Google