Sign in with
Sign up | Sign in
Your question

Throughput on firewall

Last response: in Networking
Share
Anonymous
June 7, 2004 2:40:37 PM

Archived from groups: comp.security.firewalls (More info?)

My company has a Nokia 330 running Checkpoint 4.1 with around
125 Rules.

I am trying to track down a throughput problem downloading a large
file (800M+) between myself and an external web server via a vpn
connection. The VPN I authenticate to is on a different subnet.

When I run a NetIQ Chariot throughput test through the firewall my
average throughput is about 15 Mbs ( Chariot test diagram:
endpoint1 -> switch -> firewall -> switch -> endpoint2). According to
the firewall person the MRTG bandwidth usage is ok. They gave me the
impression that the traffic is very low.

The person in charge of the firewall checked the cpu utilization during
the throughput test and the CPU jumped from around 60% to over 98%.
We also ran a test downloading a large file from the web server back
to my box via the VPN connection. The cpu utilization jumped up
to 80%-90% during the file download.

Since the download of the file also made the cpu utilization go up,
I would think this is not a good thing.

I got the impression from the resident firewall guru (not the same person who is
in charge of the firewall) that since the number of connections are low
there isn't a problem. They also said an average CPU utilization of 60%
is fine.

My questions:

- I would think that downloading a large file through a vpn connection
that causes the cpu utilization to jump to 90% is a problem. It there
something I can have the firewall person check in the configuration?
They did run a tcpdump on the firewall and didn't see any fragments or
lost packets for my transfer.

Thanks for any help.

t4l0r

More about : throughput firewall

Anonymous
June 9, 2004 6:31:13 AM

Archived from groups: comp.security.firewalls (More info?)

t4l0r wrote:

> My company has a Nokia 330 running Checkpoint 4.1 with around
> 125 Rules.
>
> I am trying to track down a throughput problem downloading a large
> file (800M+) between myself and an external web server via a vpn
> connection. The VPN I authenticate to is on a different subnet.
>
> When I run a NetIQ Chariot throughput test through the firewall my
> average throughput is about 15 Mbs ( Chariot test diagram:
> endpoint1 -> switch -> firewall -> switch -> endpoint2). According to
> the firewall person the MRTG bandwidth usage is ok. They gave me the
> impression that the traffic is very low.
>
> The person in charge of the firewall checked the cpu utilization during
> the throughput test and the CPU jumped from around 60% to over 98%.
> We also ran a test downloading a large file from the web server back
> to my box via the VPN connection. The cpu utilization jumped up
> to 80%-90% during the file download.
>
> Since the download of the file also made the cpu utilization go up,
> I would think this is not a good thing.
>
> I got the impression from the resident firewall guru (not the same person who is
> in charge of the firewall) that since the number of connections are low
> there isn't a problem. They also said an average CPU utilization of 60%
> is fine.
>
> My questions:
>
> - I would think that downloading a large file through a vpn connection
> that causes the cpu utilization to jump to 90% is a problem. It there
> something I can have the firewall person check in the configuration?
> They did run a tcpdump on the firewall and didn't see any fragments or
> lost packets for my transfer.
>
> Thanks for any help.
>
> t4l0r


Lemme tell ya - if your firewall EVER spikes above 60% CPU you've got a
problem. I would tell you that since you're downloading this large file
through a VPN tunnel, the lack of encryption accelerator cards on that
IP330 is where you have a bottleneck.

You also might want to read up on Nokia IPSO's flows function. If you
have it on you can turn it off to smooth things out a bit.
Anonymous
June 15, 2004 9:34:36 PM

Archived from groups: comp.security.firewalls (More info?)

Scott Wilson <scottwilson@NOSPAM.nc.rr.com> wrote in message news:<RDuxc.18331$tH1.899503@twister.southeast.rr.com>...
> t4l0r wrote:
>
> > My company has a Nokia 330 running Checkpoint 4.1 with around
> > 125 Rules.
> >
> > I am trying to track down a throughput problem downloading a large
> > file (800M+) between myself and an external web server via a vpn
> > connection. The VPN I authenticate to is on a different subnet.
> >
> > When I run a NetIQ Chariot throughput test through the firewall my
> > average throughput is about 15 Mbs ( Chariot test diagram:
> > endpoint1 -> switch -> firewall -> switch -> endpoint2). According to
> > the firewall person the MRTG bandwidth usage is ok. They gave me the
> > impression that the traffic is very low.
> >
> > The person in charge of the firewall checked the cpu utilization during
> > the throughput test and the CPU jumped from around 60% to over 98%.
> > We also ran a test downloading a large file from the web server back
> > to my box via the VPN connection. The cpu utilization jumped up
> > to 80%-90% during the file download.
> >
> > Since the download of the file also made the cpu utilization go up,
> > I would think this is not a good thing.
> >
> > I got the impression from the resident firewall guru (not the same person who is
> > in charge of the firewall) that since the number of connections are low
> > there isn't a problem. They also said an average CPU utilization of 60%
> > is fine.
> >
> > My questions:
> >
> > - I would think that downloading a large file through a vpn connection
> > that causes the cpu utilization to jump to 90% is a problem. It there
> > something I can have the firewall person check in the configuration?
> > They did run a tcpdump on the firewall and didn't see any fragments or
> > lost packets for my transfer.
> >
> > Thanks for any help.
> >
> > t4l0r
>
>
> Lemme tell ya - if your firewall EVER spikes above 60% CPU you've got a
> problem. I would tell you that since you're downloading this large file
> through a VPN tunnel, the lack of encryption accelerator cards on that
> IP330 is where you have a bottleneck.
>
> You also might want to read up on Nokia IPSO's flows function. If you
> have it on you can turn it off to smooth things out a bit.


vpn accelerator cards for the ip330 were extra. if you dont have one,
the overhead of encryption will be the cause of your CPU spike. Try
downloading a file over a cleartext connection to provide you with a
baseplate for non-vpn performance.

Flows wont cause any problem as they dont touch IPSEC traffic. Not
until right now with IPSO 3.8 do Nokia appliances accelerate VPN
connections at the kernel (via calls to the SecureXL API).

You really shouldnt be running FW-1 v4.1 now anyhow. Its long past
its End Of Life date. Make sure your 330 has at least 256mb ram, and
upgrade to NG-AI.

SysAdm
!