Kerry Baker wrote:
>
> We have significant performance problems on our firewall. We have a Sun
> Ultra 5 running Firewall-1 v4.0 SP6 on Solaris 2.6.
> Our users use a combination of direct access, user authentication and client
> authentication. We do accounting logging for a lot of traffic.
> Direct access users have really good response for web browsing, but user and
> client authentication users find browsing painfully slow.
> We have plenty of memory (no paging), the cpu is idling between 60-70% of
> the time, load averages are under 0.5.
> We are filtering only about 300-500 packets a second and typically have less
> than 5000 active connections at any time.
> No network errors and interfaces are set to 100mbps full-duplex.
>
> All-in-all it appears to be a very underutilised system and yet
> authenticated users find it extremely slow.
Just a few comments:
- Any UNIX system tipically starts having performance problems with
disk I/O. You should take a look at your Solaris "iostat -xtc " statistics
and see how much your disk is being used. (%busy and service time columns)
Use iostat's view for processor also. It's a bit more reliable (and detailed)
that the uptime's point of view about processor load. vmstat may help U also.
- In the Firewall side, I'm wondering if you are using the "basic
performance rules": - More used rules at the top, No domain objects,
enabling "fast mode" when possible ("fast mode" may carry you certain
security problems. It's up to you if you use this feature). See
http://www.enteract.com/~lspitz/fwtable.html :-)
- I heard somewhere that "internal bus" or "internal switch" on Ultra 5
machines is a bit limited to manage high network load. Ultra 5 it's
a Workstation architecture I think. I'm not a hardware expert, but this
may be another clue, if you are handling high traffic and/or have multiple
DMZ's.
Hope this helps.
-- M. Hoz
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
