Tom, I had a similar situation like yours where we have a pair of IP740s (PIII 1Ghz cpu and 1GB of RAM) running in VRRP configuration with Checkpoint NG Feature Pack with HFA_327. We have Gig interface on the IP740 and yet, the traffic maxed out at 104 mbps throughput and 2500 connection (this is NOT a typo, yes, 2500 connection). It doesn't matter what we do, we can not seem to push the firewall throughput beyond 104mbps and 2500 connections. The firewall has plenty of free memory (over 600Mb) and we even increase the connections to 200k but it didn't help. The CPU still spikes at 100%. The problem, I suspect, is that CP is not releasing the connections fast enough in the connections thus filling up the connections table and spike the cpu. It turned out that CP can not handle applications that are very short and spurt. So we replace the pair of IP740s with a pair of Cisco Pix firewall 535s running Pix code version 7.0(4). At the moment, the firewall is pushing about 400Mbps to the Internet at about 80k connections. And yet, the cpu on the pix is running around 38%. You may want to look at Cisco Pix as an alternative solution. Pix is not as easy as Checkpoint in term of management but from a speed and performance, it may solve your problem. It did for me. HTH P.S. by the way, did you know that the IP740 and Cisco Pix535 are made from the same Intel motherboard and same Intel NICs?
Tom Louis <[EMAIL PROTECTED]> wrote: i don't have that much turned on under smart deffense, the problem I am having is when we bring up the secondary firewall, we start to drop logs, stating that ====snip========== Information: sys_message: 10959408 log entries were not sent to log server xxx.xxx.xxx.xxx because of high load, but were instead sent to backup. ====un-snip========= Plus I just was just told to increase our connection table which we have set at 45,000. I am supposed to be getting a pair of 1220's this week to replace our 380's. yes we are throwing money at the problem instead of solving the issue. But hey if they want to buy me some IP-1220's I will take them. ;?) ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Yahoo! DSL Something to write home about. Just $16.99/mo. or less ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
