Skalowanie wydajności konfiguracje Cluster XL Secure XL i

Skalowanie wydajności, konfiguracje Cluster. XL, Secure. XL i Core. XL J. Prokop Check Point © 2009 Check Point Software Technologies Ltd. All rights reserved. [Unrestricted]—For everyone

Skalowanie wydajności oprogramowania Trzy produkty kategorii „XL”: § Cluster. XL: łączenie urządzeń w klastry – Cluster. XL LS for VPN-1 and Connectra – Cluster. XL VSLS for VSX VSLS – Nokia IP Clustering, Crossbeam X 80 itp § Secure. XL (Accelerated Path) – Hardware: (Nokia) ADP – Software: » Performance Pack (Secure. Platform, Crossbeam XOS) » IPSO Secure. XL implementation („fastpath”, Secure. XL) § Core. XL: wielordzeniowa implementacja Firewall Path / Middle Path © 2009 Check Point Software Technologies Ltd. All rights reserved. [Unrestricted]—For everyone 2

Cluster XL Cele klastrowania urzadzeń: § Zwiększenie niezawodności § Zwiększenie wydajności © 2009 Check Point Software Technologies Ltd. All rights reserved. [Unrestricted]—For everyone 3

Cluster XL Problemy rozwiązywane przy klastrowaniu: - Sieć (adresy MAC, IP) - Synchronizacja (asynchroniczny routing pakietów, krótkotrwałe sesje, sposoby dzielenia sesji między węzłami) [Unrestricted]—For everyone © 2009 Check Point Software Technologies Ltd. All rights reserved. 4

Cluster XL z ograniczoną liczbą adresów IP © 2009 Check Point Software Technologies Ltd. All rights reserved. [Unrestricted]—For everyone 5

Accelerated Path (brak „wzorca” – template) Core #. . . FW Path Core #4 Medium Path FW Path Queue Core #. . . Medium Path FW Path Queue Medium Path Queue Core #0 Core #1 Secure Dispatcher Performance Pack eth 0 eth 1 Syn. Ack + subsequent S 2 C packets Subsequent C 2 S packets © 2009 Check Point Software Technologies Ltd. All rights reserved. [Unrestricted]—For everyone 6

Accelerated Path (ze „wzorcem” – template) Core #. . . FW Path Core #4 Medium Path FW Path Queue Core #. . . Medium Path FW Path Queue Medium Path Queue Core #0 Core #1 Secure Dispatcher Performance Pack eth 0 eth 1 Syn + subsequent C 2 S packets Syn. Ack + subsequent S 2 C packets © 2009 Check Point Software Technologies Ltd. All rights reserved. [Unrestricted]—For everyone 7

Medium Path – IPS Traffic Core #. . . FW Path Core #4 Medium Path FW Path Queue Core #. . . Medium Path FW Path Queue Medium Path Queue Core #0 Core #1 Secure Dispatcher Performance Pack eth 0 eth 1 Syn + subsequent C 2 S packets Syn. Ack + subsequent S 2 C packets © 2009 Check Point Software Technologies Ltd. All rights reserved. [Unrestricted]—For everyone 8

Monitorowanie Core. XL Funkcja hash rozdzielająca sesje pomiędzy instancjami (rdzeniami): § § Source IP address Destination TCP/UDP port IP protocol number Vo. IP i IPSec : zawsze na instancji „ 0” ! © 2009 Check Point Software Technologies Ltd. All rights reserved. Nie ma tu portu źródłowego: • konserwatywna, słabo rozrzucająca funkcja Jeżeli grupa klientów pracuje za translatorem adresów na pojedynczym serwerze to wszyscy będą przetwarzani na tym samym rdzeniu. [Unrestricted]—For everyone 9

Monitorowanie ścieżek pakietów: accelerated / firewall / medium # fwaccel stat SXL on/off Templates enabled? Disabled after rule # X ? # fwaccel stats Firewall path: F 2 F Accelerated path: accel Medium path: PXL (* dopiero od wersji R 70 *) # fwaccel conns C 2 S, S 2 C: client 2 server, server 2 client flaga „F” : firewall, connection not accelerated # fwaccel templates © 2009 Check Point Software Technologies Ltd. All rights reserved. [Unrestricted]—For everyone 10

# fwaccel stats [Expert@cpmodule]# fwaccel stats Name Value ----------conns created 7136 temporary conns 0 nat conns 0 accel bytes 7559714608 ESP enc pkts 0 ESP dec pkts 0 ESP other err 0 espudp enc err 0 espudp dec err 0 AH enc pkts 0 AH dec pkts 0 AH other err 0 free memory 0 current total conns 22 conns from templates 3999624 delayed TCP conns 0 delayed non. TCP conns 0 F 2 F bytes 493868773 enc bytes 0 partial conns 0 dropped packets 1498945 nat templates 0 conns from nat tmpl 0 port alloc f 2 f 0 PXL conns 5 PXL bytes 34254 © 2009 Check Point Software Technologies Ltd. All rights reserved. Name ----------conns deleted templates accel packets F 2 F packets ESP enc err ESP dec err espudp enc pkts espudp dec pkts espudp other err FWenc err AH path AH dec err memory used acct update interval TCP violations TCP conns non TCP conns F 2 F conns crypt conns dec bytes anticipated conns dropped bytes port alloc templates port alloc conns PXL templates PXL packets PXL async packets Value -------5969 10 32044625 7319991 0 0 0 0 3600 8 12 10 2 0 0 0 143185454 0 0 5 126 [Unrestricted]—For everyone 11

# fwaccel stats [Expert@cpmodule]# fwaccel stats Name Value Name ---------------------------conns created 7136 conns deleted temporary conns 0 templates nat conns 0 accel packets accel bytes 7559714608 F 2 F packets ESP enc pkts 0 ESP enc err ESP dec pkts 0 ESP dec err ESP other err 0 espudp enc pkts espudp enc err 0 espudp dec Accelerated path pkts espudp dec err 0 espudp other err AH enc pkts 0 AH enc (Secure. XL) err AH dec pkts 0 AH dec err AH other err 0 memory used free memory 0 acct update interval current total conns 22 TCP violations conns from templates 3999624 TCP conns delayed TCP conns 0 non TCP conns delayed non. TCP conns 0 F 2 F conns F 2 F bytes 493868773 crypt conns enc bytes 0 dec bytes partial conns 0 anticipated conns dropped packets 1498945 dropped bytes nat templates 0 port alloc templates conns from nat tmpl 0 port alloc conns port alloc f 2 f 0 PXL templates PXL conns 5 PXL packets PXL bytes 34254 PXL async packets © 2009 Check Point Software Technologies Ltd. All rights reserved. Value -------5969 10 32044625 7319991 0 0 0 0 3600 8 12 10 2 0 0 0 143185454 0 0 5 126 [Unrestricted]—For everyone 12

# fwaccel stats [Expert@cpmodule]# fwaccel stats Name Value ----------conns created 7136 temporary conns 0 nat conns 0 accel bytes 7559714608 ESP enc pkts 0 ESP dec pkts 0 ESP other err 0 espudp enc err 0 espudp dec err 0 AH enc pkts 0 AH dec pkts 0 AH other err 0 free memory 0 current total conns 22 conns from templates 3999624 delayed TCP conns 0 delayed non. TCP conns 0 Medium path F 2 F bytes 493868773 (IPS) enc bytes 0 partial conns 0 dropped packets 1498945 nat templates 0 conns from nat tmpl 0 port alloc f 2 f 0 PXL conns 5 PXL bytes 34254 © 2009 Check Point Software Technologies Ltd. All rights reserved. Name ----------conns deleted templates accel packets F 2 F packets ESP enc err ESP dec err espudp enc pkts espudp dec pkts espudp other err AH enc err AH dec err memory used acct update interval TCP violations TCP conns non TCP conns F 2 F conns crypt conns dec bytes anticipated conns dropped bytes port alloc templates port alloc conns PXL templates PXL packets PXL async packets Value -------5969 10 32044625 7319991 0 0 0 0 Middle Path pojawia się 0 w R 70 do obsługi nowego 3600 8 IPS (nie ma tych statystyk 12 R 65) 10 2 0 0 0 143185454 0 0 5 126 w [Unrestricted]—For everyone 13

Konfiguracja Core. XL/Secure. XL: cpconfig [CP-R 70]# cpconfig This program will let you re-configure your Check Point products configuration. Configuration Options: -----------(1) Licenses and contracts (2) Administrator (3) GUI Clients (4) SNMP Extension (5) PKCS#11 Token (6) Random Pool (7) Certificate Authority (8) Certificate's Fingerprint (9) Disable Advanced Routing (10) Disable Check Point Secure. XL (11) Configure Check Point Core. XL (12) Automatic start of Check Point Products (13) Exit Enter your choice (1 -13) : © 2009 Check Point Software Technologies Ltd. All rights reserved. [Unrestricted]—For everyone 14

Monitorowanie konfiguracji wielordzeniowej za pomocą ” top ” © 2009 Check Point Software Technologies Ltd. All rights reserved. [Unrestricted]—For everyone 15

Które rdzenie obsługują interfejsy sieciowe (affinity) ? Affinity interfejsów sieciowych jest podzielone pomiędzy CPU na których działa SND (Secure Network Dispatcher) © 2009 Check Point Software Technologies Ltd. All rights reserved. [Unrestricted]—For everyone 16

„ fwpprof ” : analiza #. /fwpprof Data collection stopped after 0 minutes and 53 seconds. Analyzing results. . . Performance Statistics: --------------------------------CPU Component Average load Maximal load --------------------------------0 N/A 17% 20% 1 N/A 0% 2% 2 fw_5 21% 24% 3 fw_4 22% 25% 4 fw_3 22% 24% 5 fw_2 0% 2% 6 fw_1 8% 9% 7 fw_0 15% 17% --------------------------------Current core optimization grade: 62% © 2009 Check Point Software Technologies Ltd. All rights reserved. [Unrestricted]—For everyone 17

„ fwpprof ” : zalecenia konfiguracyjne Recommended configuration: ---------------------------CPU Component ---------------------------0 Network |-Sync. . . |-Mgmt |-Lan 1. . . . |-Lan 8 1 fw_6 2 fw_5 3 fw_4 4 fw_3 5 fw_2 6 fw_1 7 fw_0 ---------------------------VPN and Vo. IP traffic percentage 0% ---------------------------Expected optimization grade following recommended changes: 68% Summary of recommendations: 1. Increase number of active instances from 6 to 7 © 2009 Check Point Software Technologies Ltd. All rights reserved. [Unrestricted]—For everyone 18

Podsumowanie i tematy ciekawych rozważań związanych z wydajnością Core. XL jest częścią każdej instalacji wielordzeniowej (nie wymaga dodatkowej licencji). Core. XL: – R 65: przerwania (SPLAT kernel 2. 4 / 2. 6) – R 70: przerwania, konfigurowalna liczba instancji, fwpprof, możliwość ignorowania procesorów © 2009 Check Point Software Technologies Ltd. All rights reserved. [Unrestricted]—For everyone 19

Dziękuję za uwagę! © 2009 Check Point Software Technologies Ltd. All rights reserved. [Unrestricted]—For everyone 20