Hi, I actually experienced all of the issues related to UTM-1s and Content Inspection. We manage dozens of UTM-1 270s, 570s, 1050s, etc. Let me share some of the conclusions we reached together with CP. 1- UTM-1 R65 with URL Filtering (no AV), has fairly good performance. Policy installation doesn't take a lot of time and there's little impact on performance. 2- R70, R70.20, and R70.30, have huge memory requirements for the SmartCenter part, compared to R65. Policy installation takes longer, and some connections can be dropped. Even more, on 270s and 2050s, we found several boxes that trigger a 'bug' in the 2.6 kernel, and the CPU stays at 100%, with IOWait consuming all of the available CPU resources. Access to the GUI is terribly slow or non-functional, and everything slows down. Only a cpstop/cpstart fixes the iowair issue, and it's not permanente. A medium fixed we found was to decrease the swappiness of the linux kernel, and that reduced a lot of the problems we found during policy installation. However, R70 is definitely slower than R65 and we decided not to upgrade and UTM-1s to R70. Simply too many dangers. 3 - R71: Beautiful (for the most part). SmartCenter consumes a lot less memory, policy installation is faster, and the increase from using the new AV and URL features. A 270 box that ran between 60% and 80% everyday, went down to 10%-20%. A 1050 box using 50-60%, went down to 15%-20%. 4- However, there still is a bug with the 2.6 kernel, and in a couple of machines we saw the IOWait hit 100% CPU and stay there. Check Point provided a fix, a kernel hotfix that we can apply and that solved that problem. Ask for kernel-2.6.18-92cp_976010001.i686.rpm, with the PAE and non-PAE (130 and 270) versions. In summary, skip R70.x. Go for R71 and the improvements are huge. Good luck.
Eli Faskha Soluciones Seguras -----Original Message----- Date: Sat, 19 Jun 2010 12:26:20 +0000 From: Frank Darden <[email protected]> Subject: Re: High CPU load on UTM-1 I believe you are correct, Gary. The UTM-1 276 is probably underpowered for that many blades. For a point of reference, my Power-1 11000 has every blade turned on that can be, and my CPU averages about 2-15 percent, depending on traffic load. All of the blades are functioning really well. If you run the top command, which processes seem to be using the most cpu? Regards, Frank On 6/18/10 10:49 AM, "Gary Scott" <[email protected]> wrote: >I have just upgraded a UTM-1 276 standalone to R71 and have IPS, AV and >URL filtering enabled, setting idle my CPU is at 35%. Trying to do >almost anything causes my CPU to spike to 100%. I guess this could be >expected seeing how all it has is a Celeron 600 MHZ cpu in it. > >-GS > > > >________________________________ >From: hvdkooij <[email protected]> >To: [email protected] >Sent: Fri, June 18, 2010 9:42:21 AM >Subject: [FW-1] High CPU load on UTM-1 > >Hi, > >Rumours have it that policy installs on UTM-1 will generate a lot of >load on the UTM-1 units. > >This has been detected on NGX R65, R70, R70.10, R70.20 and R70.30 but >the same rumours have it that this will not occur with R71 on the box. > >If people want to share their experiences in this regard it might be >rather usefull to see what piece of the code are responsible. > >Regards, Hugo. >-- >[email protected] >http://hugo.vanderkooij.org/ >PGP/GPG? Use: >http://hugo.vanderkooij.org/0x58F19981.asc > Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
