The THREAD may very well have started with what you are talking
about. But you replied to MY email. This is the point where you went off
on a seemingly random rant. A rant who's topic had NOTHING to do with my
post.
I totally agree that it is "non-beneficial" to listen to your useless
rants. And so I won't.
On Mon, 19 Feb 2001, CryptoTech wrote:
> Unless you are totally daft, then you will note that the thread you sent regards the
> benefits of dual cpu and the statement that the major limitation is to be the bus
>speed.
> This must be the source of the same insecurity in firewall knowledge that leads you
>to
> continue this nonsensical, and definitely non-beneficial thread.
>
> FACT:
> Linux can be compiled with SMP/multithreading.
> [EMAIL PROTECTED] has stated this more times than my processor can compute
>
> Firewall-1 Inspect (that is the Firewall in the product Firewall-1) is not. It's
>security
> servers can be, as well as the vpn portion (genuine thanks to Mike Vincent,) if so
> configured.
>
> I think this thread and argument have gone on long enough for everyones taste, so
>why don't
> we let things lie.
>
> Best Regards,
> CryptoTech
>
> [EMAIL PROTECTED] wrote:
>
> > I think you have a reading comprehension problem. I had this when I was
> > in elementary school, but I beleive I have overcome it. Quite obviously
> > you have NOT.
> >
> > I was quite obviously stating that LINUX KERNEL networking is multi
> > threaded.
> >
> > Now this is the second time that you have done this to me. I have never
> > had to filter a persons email address to /dev/null before...
> >
> > On Sat, 10 Feb 2001, CryptoTech wrote:
> >
> > >
> > > <rant>
> > > Come on people, HOW MANY TIME DOES IT HAVE TO BE STATED-----
> > >
> > > FIREWALL-1 IS NOT MULTITHREADED. If you run security servers, they can run
>multiple
> > > instances with each bound to a separate processor, but the core code is NOT
> > > multithreaded.
> > >
> > > </rant>
> > > Seriously, the documentation will make this clear.
> > >
> > >
> > >
> > > [EMAIL PROTECTED] wrote:
> > >
> > > > fyi,
> > > >
> > > > linux 2.4.1 kernel has MUCH better networking stats, and infact its
> > > > multithreaded... from what I understand.
> > > >
> > > > On Sat, 10 Feb 2001, Peter Lukas wrote:
> > > >
> > > > >
> > > > > Even with a GigE adapter, the bottleneck is the processor as it crunches
> > > > > through the policy.
> > > > >
> > > > > The newer 900MHz UltraIII's would most likely enable you to approach the
> > > > > capacity of the 100Mbps ethernet adapter, but for sustained throughput, it
> > > > > may not come close.
> > > > >
> > > > > Some of the newer GHz x86 processors could probably tap a keg of whoopass
> > > > > on crunching through the policy and you may approach 100Mbps and
> > > > > beyond. You'd then need to bundle into that configuration some speedy
> > > > > memory, etc.
> > > > >
> > > > > The newer processors from AMD and (when they get their act together) Intel
> > > > > are capable of crunching through policy relatively well. Add that with
> > > > > faster memory, etc (should DDR-SDRAM materialize), and your x86 firewall
> > > > > will most likely smoke a Solaris/Sun-Based firewall.
> > > > >
> > > > > The real problem here is that you only have Linux or NT on which to run
> > > > > CP. Since neither can handle packets as well as Solaris, and Nokia
> > > > > selfishly clings to their IPSO/FreeBSD CP binary, we don't have a
> > > > > more efficient OS to slap atop this newer, speedier hardware.
> > > > >
> > > > > Either we pressure Nokia/CP to release native *BSD binaries of their
> > > > > product, or we wait for Nokia to "support" better and more capable
> > > > > hardware.
> > > > >
> > > > > Peter Lukas
> > > > >
> > > > > On Tue, 6 Feb 2001, Craig Skelton wrote:
> > > > >
> > > > > >
> > > > > > Couldn't agree more. The ultra60 is such a nice desktop :). I fully believe
> > > > > > in single purpose firewalls. Why waste cpu cycles on any other task.
> > > > > >
> > > > > > Have you tried any gigbit adapters at fast ethernet speeds? (Or has
>anyone?)
> > > > > > I'm wondering if that is not the *best* way to get maximum performance.
> > > > > >
> > > > > > Has anybody got any references for how disk speed affects fw1? I'm assuming
> > > > > > that the faster the drive, the faster the logging. Does that increase fw1
> > > > > > performance at all? I would think that it would at least reduce the memory
> > > > > > footprint a bit (If log entries are buffered in memory before being
> > > > > > written.) Comments anyone?
> > > > > >
> > > > > > Cheers,
> > > > > > Craig
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Peter Lukas" <[EMAIL PROTECTED]>
> > > > > > To: "Craig Skelton" <[EMAIL PROTECTED]>
> > > > > > Cc: "William Pope" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
> > > > > > <[EMAIL PROTECTED]>
> > > > > > Sent: Tuesday, February 06, 2001 6:43 AM
> > > > > > Subject: Re: [FW1] FireWall-1 and Dual CPU machine
> > > > > >
> > > > > >
> > > > > > > THis is precisely what the Nokia folks realized in their devices. A
> > > > > > > celeron with 64MB is going to do just as well when pusing policy as a Sun
> > > > > > > Ultra60 (can you believe these are being used as firewalls? Nice
>graphics
> > > > > > > on your "headless" firewall).
> > > > > > >
> > > > > > > PCI is PCI is PCI - for the most part at least. Some implementations
> > > > > > > leave much to be desired (thanks 810).
> > > > > > >
> > > > > > > However, the SunQFE can ride the 66MHz 64-bit PCI bus if configured
> > > > > > > properly. That'll provide some improvement over the 33MHz jalopy riding
> > > > > > > the Nokia Intel MB. I believe the Micron folks implemented a Samauri
> > > > > > > chipset (a pre-AGP concoction) which accomplished the same thing. On the
> > > > > > > downside, the extremely high markup of the four Intel speedo's with a Sun
> > > > > > > emblem on the Sun QFE is ludicrous. Looks like they fostered the Nokia
> > > > > > > markup as well.
> > > > > > >
> > > > > > > I've had a relatively high failure rate on the Luna PCI adapter (see
> > > > > > > previous threads of failing Luna PCI's with an "E.T." syndrome). The
> > > > > > > point of the post was that the UltraSPARC can be much faster than the
> > > > > > > Intel SA-110 on the LUNA PCI adapter. I'm not sure how the "Soft" LUNA
>is
> > > > > > > licensed. This only benefits VPN users who were conned into buying SMP
> > > > > > > powerhouses for their firewall device, though.
> > > > > > >
> > > > > > > -pl
> > > > > > >
> > > > > > > On Tue, 6 Feb 2001, Craig Skelton wrote:
> > > > > > >
> > > > > > > > Memory, bus speed, adapter speed, and base processor speed are the
> > > > > > biggest
> > > > > > > > factors in FW1 performance.
> > > > > > > >
> > > > > > > > The Luna VPN card will increase preformance only if you are implemeting
> > > > > > a
> > > > > > > > VPN. If you don't plan on using an IKE or IPSEC VPN then it won't do
> > > > > > > > anything for you. (Although they are cool if you do.)
> > > > > > > >
> > > > > > > > One thing people missed is the bus speed of your machine. This is a big
> > > > > > > > deal. You should examine the bus speed of the machine, and the ability
> > > > > > of
> > > > > > > > the ethernet adapters to utilize that top speed. Some docs suggest that
> > > > > > > > gigabit cards will support slightly higher speeds even when run at Fast
> > > > > > > > Ethernet speeds. Stands to reason that the higher the performace
> > > > > > capability,
> > > > > > > > the better the performance at nominal speeds. Obviously, if you already
> > > > > > own
> > > > > > > > the machine, then you might not get to choose, but a slow bus speed
> > > > > > might
> > > > > > > > mean that you are better off upgrading now (or that the second proc
> > > > > > won't
> > > > > > > > matter).
> > > > > > > >
> > > > > > > > For dual cpu info, you should check the doc at:
> > > > > > > >
> > > > > >
>http://www.checkpoint.com/techsupport/documentation/FW-1_VPN-1_performance.h
> > > > > > > > tml
> > > > > > > > "SMP (2-4 CPUs) has the most effect on Resource and VPN policies
> > > > > > performance
> > > > > > > > (up to 35-54% performance improvement). Make sure to run multiple
> > > > > > instances
> > > > > > > > of security servers (see the VPN-1 Tuning chapter). "
> > > > > > > >
> > > > > > > > If you run lots of security servers, or have many people viewing
> > > > > > logfiles
> > > > > > > > (nt clients being worse than command line warriors) then the dual cpu
> > > > > > will
> > > > > > > > really help. Especially if they are not too good at refining their
> > > > > > > > selections. Obviously, the kernel modules are monolithic (most likely
> > > > > > due to
> > > > > > > > severe security issues in multi-threaded kernel mods). The security
> > > > > > servers
> > > > > > > > and other portions of vpn1/fw1 are not. (pbind etc. to take advantage.)
> > > > > > You
> > > > > > > > should run multiple instances to increase preformance. Multiple
> > > > > > instances
> > > > > > > > will ensure that the second cpu is truely utilized (at least on
> > > > > > solaris.). I
> > > > > > > > doubt there is much need for more than a dual box.
> > > > > > > >
> > > > > > > > As far as I am aware, there are no specific dual processor tuning
>points
> > > > > > for
> > > > > > > > fw-1 on solaris (if you hear of any, let me know.) You might want to
> > > > > > take a
> > > > > > > > look at sunsolve.sun.com for the doc id 1442 (white papers/ tech
> > > > > > bulletins).
> > > > > > > >
> > > > > > > > Cheers,
> > > > > > > > Craig
> > > > > > > >
> > > > > > > > ----- Original Message -----
> > > > > > > > From: "Peter Lukas" <[EMAIL PROTECTED]>
> > > > > > > > To: "William Pope" <[EMAIL PROTECTED]>
> > > > > > > > Cc: <[EMAIL PROTECTED]>
> > > > > > > > Sent: Monday, February 05, 2001 6:42 PM
> > > > > > > > Subject: RE: [FW1] FireWall-1 and Dual CPU machine
> > > > > > > >
> > > > > > > >
> > > > > > > > >
> > > > > > > > > I did notice a version of the Luna VPN driver optimized for the
> > > > > > dormant
> > > > > > > > > CPU. Seeing as how a relatively fast UltraSPARC can effectively dust
> > > > > > the
> > > > > > > > > StrongARM on the Chrysalis-ITS, it may be worth a looksee for people
> > > > > > who
> > > > > > > > > ended up purchasing a multi-CPU system for their firewall...
> > > > > > > > >
> > > > > > > > > -peter
> > > > > > > > >
> > > > > > > > > On Mon, 5 Feb 2001, William Pope wrote:
> > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > I do not think that Checkpoint has released a multithreaded version
> > > > > > of
> > > > > > > > > > Firewall-1 yet. I have had some luck using pbind & renice to force
> > > > > > the
> > > > > > > > > > Checkpoint services to the second processor leaving the first for
> > > > > > the
> > > > > > > > O/S.
> > > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: [EMAIL PROTECTED]
> > > > > > > > > > [mailto:[EMAIL PROTECTED]]On Behalf Of
> > > > > > > > Vincent,
> > > > > > > > > > Mike
> > > > > > > > > > Sent: Monday, February 05, 2001 10:59 AM
> > > > > > > > > > To: 'Damon Starkey '; ''Arie Gilboa' '; ''fw-1 Mailinglis' '
> > > > > > > > > > Subject: RE: [FW1] FireWall-1 and Dual CPU machine
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Checkpoint did release a multi-threaded device driver to accelerate
> > > > > > > > > > encryption and decryption on SMP SPARC/Solaris and Windows NT
> > > > > > systems.
> > > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: Damon Starkey
> > > > > > > > > > To: 'Arie Gilboa'; 'fw-1 Mailinglis'
> > > > > > > > > > Sent: 2/5/01 10:15 AM
> > > > > > > > > > Subject: RE: [FW1] FireWall-1 and Dual CPU machine
> > > > > > > > > >
> > > > > > > > > > I was told no when I went through the Checkpoint Certification. It
> > > > > > > > > > benefits from a good amount of memory.
> > > > > > > > > >
> > > > > > > > > > Damon Starkey
> > > > > > > > > > Network Administrator
> > > > > > > > > > Digital Access Corporation
> > > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: Arie Gilboa [mailto:[EMAIL PROTECTED]]
> > > > > > > > > > Sent: Monday, February 05, 2001 9:44 AM
> > > > > > > > > > To: 'fw-1 Mailinglis'
> > > > > > > > > > Subject: [FW1] FireWall-1 and Dual CPU machine
> > > > > > > > > >
> > > > > > > > > > Hello!,
> > > > > > > > > > I would like to instal CP-2000 on Dual CPU Solaris machine.
> > > > > > > > > > Does CP-2000 software know to use more than one CPU ?. Is there any
> > > > > > > > > > special configuration which should be done ?.
> > > > > > > > > >
> > > > > > > > > > Thanks,
> > > > > > > > > > Arie Gilboa
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > >
> > > > > >
>============================================================================
> > > > > > > > > > ====
> > > > > > > > > > To unsubscribe from this mailing list, please see the
> > > > > > instructions
> > > > > > > > at
> > > > > > > > > > http://www.checkpoint.com/services/mailing.html
> > > > > > > > > >
> > > > > > > >
> > > > > >
>============================================================================
> > > > > > > > > > ====
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > >
> > > > > >
>============================================================================
> > > > > > > > ====
> > > > > > > > > > To unsubscribe from this mailing list, please see the
> > > > > > instructions
> > > > > > > > at
> > > > > > > > > > http://www.checkpoint.com/services/mailing.html
> > > > > > > > > >
> > > > > > > >
> > > > > >
>============================================================================
> > > > > > > > ====
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > >
>============================================================================
> > > > > > > > ====
> > > > > > > > > To unsubscribe from this mailing list, please see the
> > > > > > instructions at
> > > > > > > > > http://www.checkpoint.com/services/mailing.html
> > > > > > > > >
> > > > > > > >
> > > > > >
>============================================================================
> > > > > > > > ====
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
>================================================================================
> > > > > > To unsubscribe from this mailing list, please see the instructions at
> > > > > > http://www.checkpoint.com/services/mailing.html
> > > > > >
>================================================================================
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > >
>================================================================================
> > > > > To unsubscribe from this mailing list, please see the instructions at
> > > > > http://www.checkpoint.com/services/mailing.html
> > > > >
>================================================================================
> > > > >
> > > >
> > > > --
> > > > --Paul
> > > >
> > > >
>================================================================================
> > > > To unsubscribe from this mailing list, please see the instructions at
> > > > http://www.checkpoint.com/services/mailing.html
> > > >
>================================================================================
> > >
> > >
> > >
> > >
> > > ================================================================================
> > > To unsubscribe from this mailing list, please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > ================================================================================
> > >
> >
> > --
> > --Paul
>
--
--Paul
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
