Checkpoint NGX Performance Pack User Guide

7/31/2019 Checkpoint NGX Performance Pack User Guide

1/25

Performance Pack

NGX (R60)

For additional technical information about Check Point products, consult Check Points SecureKnowledge at:

https://secureknowledge.checkpoint.com

See the latest version of this document in the User Center at:

http://www.checkpoint.com/support/technical/documents/docs_R60.html

IMPORTANTCheck Point recommends that customers stay up-to-date with the latest

service packs and versions of security products, as they contain securityenhancements and protection against new and changing attacks.

August 2005
https://secureknowledge.checkpoint.com/http://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttp://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttps://secureknowledge.checkpoint.com/


2/25


3/25

Check Point Software Technologies Ltd.U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, [email protected] Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com

2003-2005 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyrightand distributed under licensing restricting their use, copying, distribution, anddecompilation. No part of this product or related documentation may be reproduced inany form or by any means without prior written authorization of Check Point. While everyprecaution has been taken in the preparation of this book, Check Point assumes noresponsibility for errors or omissions. This publication and features described herein aresubject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth insubparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause atDFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

2003-2005 Check Point Software Technologies Ltd. All rights reserved.

Check Point, Application Intelligence, Check Point Express, the Check Point logo,AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa,Cooperative Security Alliance, Eventia, Eventia Analyzer, FireWall-1, FireWall-1 GX,FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL,Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy LifecycleManagement, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge,

SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate,SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security,SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView,SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker,SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM,User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge,VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1VSX, VPN-1 XL, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the ZoneLabs logo, are trademarks or registered trademarks of Check Point SoftwareTechnologies Ltd. or its affiliates. All other product names mentioned herein aretrademarks or registered trademarks of their respective owners. The products describedin this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935 and6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending

applications.

THIRD PARTIES:

Entrust is a registered trademark of Entrust Technologies, Inc. in the United States andother countries. Entrusts logos and Entrust product and service names are alsotrademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly ownedsubsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporatecertificate management technology from Entrust.

Verisign is a trademark of Verisign Inc.

The following statements refer to those portions of the software copyrighted by Universityof Michigan. Portions of the software copyright1992-1996 Regents of the University of

Michigan. All rights reserved. Redistribution and use in source and binary forms arepermitted provided that this notice is preserved and that due credit is given to theUniversity of Michigan at Ann Arbor. The name of the University may not be used toendorse or promote products derived from this software without specific prior writtenpermission. This software is provided as is without express or implied warranty.CopyrightSax Software (terminal emulation only).

The following statements refer to those portions of the software copyrighted by CarnegieMellon University.

Copyright 1997 by Carnegie Mellon University. All Rights Reserved.

Permission to use, copy, modify, and distribute this software and its documentation forany purpose and without fee is hereby granted, provided that the above copyright noticeappear in all copies and that both that copyright notice and this permission notice appear

in supporting documentation, and that the name of CMU not be used in advertising orpublicity pertaining to distribution of the software without specific, written priorpermission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, INNO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT ORCONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROMLOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR INCONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The following statements refer to those portions of the software copyrighted by The OpenGroup.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANYCLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THESOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

The following statements refer to those portions of the software copyrighted by TheOpenSSL Project. This product includes software developed by the OpenSSL Project foruse in the OpenSSL Toolkit (http://www.openssl.org/).

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY *EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS

CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE.

The following statements refer to those portions of the software copyrighted by EricYoung. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANYEXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR

CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE. Copyright1998The Open Group.The following statements refer to those portions of the software copyrighted by Jean-loupGailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. Thissoftware is provided 'as-is', without any express or implied warranty. In no event will theauthors be held liable for any damages arising from the use of this software. Permissionis granted to anyone to use this software for any purpose, including commercial

applications, and to alter it and redistribute it freely, subject to the following restrictions:1. The origin of this software must not be misrepresented; you must not claim that youwrote the original software. If you use this software in a product, an acknowledgment inthe product documentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must not bemisrepresented as being the original software.

3. This notice may not be removed or altered from any source distribution.

The following statements refer to those portions of the software copyrighted by the GnuPublic License. This program is free software; you can redistribute it and/or modify itunder the terms of the GNU General Public License as published by the Free SoftwareFoundation; either version 2 of the License, or (at your option) any later version. Thisprogram is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;without even the implied warranty of MERCHANTABILITY or FITNESS FOR APARTICULAR PURPOSE. See the GNU General Public License for more details.Youshould have received a copy of the GNU General Public License along with this program;if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,USA.

The following statements refer to those portions of the software copyrighted by ThaiOpen Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expatmaintainers. Permission is hereby granted, free of charge, to any person obtaining acopy of this software and associated documentation files (the "Software"), to deal in theSoftware without restriction, including without limitation the rights to use, copy, modify,merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permitpersons to whom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies orsubstantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUTWARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITEDTO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS ORCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHERLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,

ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USEOR OTHER DEALINGS IN THE SOFTWARE.GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUSTreference the author, and include any and all original documentation. Copyright. BruceVerderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998,1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999,

2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999,


4/25

2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001,2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 JohnEllson ([email protected]). Portions relating to gdft.c copyright 2001, 2002 John Ellson([email protected]). Portions relating to JPEG and to color quantization copyright2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999,2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of theIndependent JPEG Group. See the file README-JPEG.TXT for more information.Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Vanden Brande. Permission has been granted to copy, distribute and modify gd in anycontext without fee, including a commercial application, provided that this notice ispresent in user-accessible supporting documentation. This does not affect your

ownership of the derived work itself, and the intent is to assure proper credit for theauthors of gd, not to interfere with your productive use of gd. If you have questions, ask."Derived works" includes all programs that utilize the library. Credit must be given inuser-accessible documentation. This software is provided "AS IS." The copyright holdersdisclaim all warranties, either express or implied, including but not limited to impliedwarranties of merchantability and fitness for a particular purpose, with respect to thiscode and accompanying documentation. Although their code does not appear in gd 2.0.4,the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue SoftwareCorporation for their prior contributions.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use thisfile except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0

The curl license

COPYRIGHT AND PERMISSION NOTICECopyright (c) 1996 - 2004, Daniel Stenberg, .All rights reserved.

Permission to use, copy, modify, and distribute this software for any purpose

with or without fee is hereby granted, provided that the above copyright

notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OROTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OROTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWAREOR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Except as contained in this notice, the name of a copyright holder shall not be used inadvertising or otherwise to promote the sale, use or other dealings in this Softwarewithout prior written authorization of the copyright holder.

The PHP License, version 3.0

Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, ispermitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list ofconditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list ofconditions and the following disclaimer in the documentation and/or other materialsprovided with the distribution.

3. The name "PHP" must not be used to endorse or promote products derived from thissoftware without prior written permission. For written permission, please [email protected].

4. Products derived from this software may not be called "PHP", nor may "PHP" appearin their name, without prior written permission from [email protected]. You may indicatethat your software works in conjunction with PHP by saying "Foo for PHP" instead ofcalling it "PHP Foo" or "phpfoo"

5. The PHP Group may publish revised and/or new versions of the license from time totime. Each version will be given a distinguishing version number. Once covered code hasbeen published under a particular version of the license, you may always continue to useit under the terms of that version. You may also choose to use such covered code underthe terms of any subsequent version of the license published by the PHP Group. No oneother than the PHP Group has the right to modify the terms applicable to covered codecreated under this License.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

"This product includes PHP, freely available from ".

THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' ANDANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR APARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHPDEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ORSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVENIF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf ofthe PHP Group. The PHP Group can be contacted via Email at [email protected].

For more information on the PHP Group and the PHP project, please see . This product includes the Zend Engine, freely available at .

This product includes software written by Tim Hudson ([email protected]).

Copyright (c) 2003, Itai Tzur

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, arepermitted provided that the following conditions are met:

Redistribution of source code must retain the above copyright notice, this list ofconditions and the following disclaimer.

Neither the name of Itai Tzur nor the names of other contributors may be used toendorse or promote products derived from this software without specific prior writtenpermission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS ANDCONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS

BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENTOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; ORBUSINESS

INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCEOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd

Permission is hereby granted, free of charge, to any person obtaining a copy of thissoftware and associated documentation files (the "Software"), to deal in the Softwarewithout restriction, including without limitation the rights to use, copy, modify, merge,publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons

to whom the Software is furnished to do so, subject to the following conditions: Theabove copyright notice and this permission notice shall be included in all copies orsubstantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHTHOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHERIN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF ORIN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS INTHE SOFTWARE.

Copyright 2003, 2004 NextHop Technologies, Inc. All rights reserved.

Confidential Copyright Notice

Except as stated herein, none of the material provided as a part of this document may becopied, reproduced, distrib-uted, republished, downloaded, displayed, posted ortransmitted in any form or by any means, including, but not lim-ited to, electronic,mechanical, photocopying, recording, or otherwise, without the prior written permission ofNextHop Technologies, Inc. Permission is granted to display, copy, distribute anddownload the materials in this doc-ument for personal, non-commercial use only,provided you do not modify the materials and that you retain all copy-right and otherproprietary notices contained in the materials unless otherwise stated. No materialcontained in this document may be "mirrored" on any server without written permission ofNextHop. Any unauthorized use of any material contained in this document may violatecopyright laws, trademark laws, the laws of privacy and publicity, and communicationsregulations and statutes. Permission terminates automatically if any of these terms orcondi-tions are breached. Upon termination, any downloaded and printed materials must

be immediately destroyed.Trademark Notice

The trademarks, service marks, and logos (the "Trademarks") used and displayed in thisdocument are registered and unregistered Trademarks of NextHop in the US and/or othercountries. The names of actual companies and products mentioned herein may beTrademarks of their respective owners. Nothing in this document should be construed asgranting, by implication, estoppel, or otherwise, any license or right to use any Trademarkdisplayed in the document. The owners aggressively enforce their intellectual propertyrights to the fullest extent of the law. The Trademarks may not be used in any way,including in advertising or publicity pertaining to distribution of, or access to, materials in

this document, including use, without prior, written permission. Use of Trademarks as a"hot" link to any website is prohibited unless establishment of such a link is approved inadvance in writing. Any questions concerning the use of these Trademarks should bereferred to NextHop at U.S. +1 734 222 1600.


5/25

U.S. Government Restricted Rights

The material in document is provided with "RESTRICTED RIGHTS." Software andaccompanying documentation are provided to the U.S. government ("Government") in atransaction subject to the Federal Acquisition Regulations with Restricted Rights. TheGovernment's rights to use, modify, reproduce, release, perform, display or disclose are

restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software andNoncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of theCommer-cial

Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).

Use of the material in this document by the Government constitutes acknowledgment ofNextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043.Use, duplication, or disclosure by the Government is subject to restrictions as set forth inapplicable laws and regulations.

Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty

THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIESOF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLEPURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRANTIES,

EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIEDWARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR

ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THISDOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THEUSE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USEOF, OR OTHERWISE RESPECTING, THE MATERIAL IN THIS DOCUMENT.

Limitation of Liability

UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT,INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING,BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, ORTHE INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOPOR A NEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THEPOSSIBILITY OF SUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THISDOCUMENT RESULTS IN THE NEED FOR SERVICING, REPAIR OR CORRECTIONOF EQUIPMENT OR DATA, YOU ASSUME ANY COSTS THEREOF. SOME STATES DO

NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL ORCONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAYNOT FULLY APPLY TO YOU.

Copyright ComponentOne, LLC 1991-2002. All Rights Reserved.

BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC"))

Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release

PCRE LICENCE

PCRE is a library of functions to support regular expressions whose syntax andsemantics are as close as possible to those of the Perl 5 language. Release 5 of PCREis distributed under the terms of the "BSD" licence, as specified below. Thedocumentation for PCRE, supplied in the "doc" directory, is distributed under the sameterms as the software itself.

Written by: Philip Hazel

University of Cambridge Computing Service, Cambridge, England. Phone:

+44 1223 334714.

Copyright (c) 1997-2004 University of Cambridge All rights reserved.

Redistribution and use in source and binary forms, with or without modification, arepermitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright notice, this list ofconditions and the following disclaimer.

* Redistributions in binary form must reproduce the above copyright notice, this list ofconditions and the following disclaimer in the documentation and/or other materialsprovided with the distribution.

* Neither the name of the University of Cambridge nor the names of its contributors maybe used to endorse or promote products derived from this software without specific priorwritten permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS ANDCONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF

MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORSBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENTOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; ORBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OFLIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDINGNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THISSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.


6/25


7/25

Table of Contents 7

Table Of Contents

Chapter 1 Introduction to Performance PackOverview 9

Release Notes 10

Chapter 2 Getting StartedPerformance Pack NGX (R60) System Requirements 11

Minimum System Requirements 11

Recommended System Options 12

Performance Pack Recommended Platforms 12

Preparing the Performance Pack NGX (R60) Machine 13

BIOS settings 13

Network Interface Cards location 13

Installation 13

Chapter 3 Command Linefwaccel 15

cpconfig 16

sim 16

proc entries 17

Appendix A Performance Tuning and Measurement HintsPerformance Tuning 19

SYN Defender 19

Amount of Concurrent Connections and Hash Size 19

Implied Rules 20

HyperThreading 20

Connection Templates 21

Delayed Synchronization 22

Performance Measurement 23TCP State and Benchmarking 23

Index 25


8/25

8


9/25

9

CHAPTER 1

Introduction to

Performance Pack

In This Chapter

Overview

This document describes how to install and configure Performance Pack. Additionally,

it shows you how to get the best possible performance using Performance Pack.

Performance Pack is supported both for SecurePlatform and Solaris platforms.

Performance Pack is a software acceleration product installed as an add-on to VPN-1Pro. Performance Pack significantly enhances and improves the performance of VPN-1

Pro.

Performance Pack uses Check Points SecureXL technology and other innovative

network acceleration techniques, to deliver wire-speed performance for VPN-1 Pro.

Moreover, it accelerates key security functions, thereby ensuring your organization the

best security with the best performance available on an open platform.

Supported security functions include:

Access control.

Encryption.

NAT.

Accounting and logging.

Connection/session rate.

General security checks.

Overview page 9

Release Notes page 10


10/25

Release Notes

10 August 2005

SmartDefense features.

CIFs resources.

ClusterXL High Availability and Load Sharing.

TCP Sequence Verification.

Dynamic VPN

Release Notes

The latest Release Notes for Performance Pack can be found at:

http://www.checkpoint.com/support/technical/documents/index.html
http://www.checkpoint.com/support/technical/documents/index.htmlhttp://www.checkpoint.com/support/technical/documents/index.html


11/25

11

CHAPTER 2

Getting Started

In This Chapter

Performance Pack NGX (R60) System Requirements

Performance Pack accelerates the performance of VPN-1 Pro on Pentium PCs

supported by SecurePlatform, on Solaris 8, or Solaris 9 SPARC 64 Bit.

Following are the minimum recommended requirements:

Minimum System Requirements

The following are the minimum system requirements:

Performance Pack NGX (R60) System Requirements page 11

Performance Pack Recommended Platforms page 12

Preparing the Performance Pack NGX (R60) Machine page 13

TABLE 2-1 Minimum System Requirements

OperatingSystems

SecurePlatform NGX (R60)

Solaris 8, Solaris 9.

CPU Pentium III and above for SecurePlatform NGX (R60).

SPARC 64 Bits for Solaris.

Disk Space 80 MB.

Memory 128 MB.


12/25

Performance Pack Recommended Platforms

12 August 2005

Recommended System OptionsThe following system options are recommended for optimal performance:

Performance Pack Recommended Platforms

The following platforms are recommended for use with Performance Pack:

Super Micro SuperServer 6023P-8R Dual Processor.

Compaq ML530 Dual Processor.

Compaq Proliant Dual Processor.

IBM 330, 340 & 343 Dual Processor.

Dell precision 530 Dual Processor.

SunBlade 1000.

SunFire V480.

SunFire V210/V240

NetworkInterfaces

Network Interfaces supported by VPN-1 Pro on Solaris:

GEM Ethernet NIC. 10/100 QuadEthernet NIC.

GigaSwift NIC.

Sun HME 10/100 Ethernet NIC.

BGE

TABLE 2-1 Minimum System Requirements

TABLE 2-2 Recommended System options

OperatingSystems

SecurePlatform NGX (R60),

Solaris 8, Solaris 9.

CPU Dual Intel Xeon or Dual SPARC 64 bits

Disk Space 400 MB.

Memory 512 MB or more.

NetworkInterfaces

SecurePlatform NGX (R60):Intel Pro 1000 MF/MT.

Solaris:GigaSwift.

Bus Technology At least two 64bit/66Mhz PCI buses, ServerWorks or Intel E7500Chipset.


13/25

BIOS settings

Chapter 2 Getting Started 13

Please refer to the latest Performance Pack NGX (R60) release notes for additional

information on hardware support, limitations and recommendations.

Preparing the Performance Pack NGX (R60) MachineFor optimal performance, appropriate configuration settings are recommended for the

following:

BIOS Settings.

Network Interface Cards.

BIOS settings If your BIOS supports CPU clock setting, make sure that the BIOS is set to the

actual CPU speed.

If you are running Performance Pack NGX (R60) on a machine with Intel Xeon

CPUs, consider setting the HyperThreading feature to on. Using

HyperThreading may improve performance for some scenarios.

Network Interface Cards location If you are using a motherboard with multiple PCI or PCI-X buses, make sure that

each Network Interface Card is installed in a slot connected to a differentbus.

If you are using more than two Network Interface Cards in a system with only two

64bit/66Mhz PCI buses, make sure that the least-used cards are installed in slots

connected to the same bus.

Installation

For installation details see the most current online documentation:

http://www.checkpoint.com/support/technical/documents/

Note - Performance Pack is automatically disabled on PPTP and PPPoE interfaces.


14/25

Preparing the Performance Pack NGX (R60) Machine

14 August 2005


15/25

15

CHAPTER 3

Command Line

In This Chapter

fwaccel

The fwaccel utility allows you to enable or disable acceleration dynamically while

VPN-1 Pro is running. The default setting is determined by the setting configured with

cpconfig (see cpconfig on page 14). This setting reverts to the default after reboot.

Usagefwaccel [on|off|stat|stats|conns|templates]

Parameters

fwaccel page 15

cpconfig page 16

sim page 16

proc entries page 17

TABLE 3-1 fwaccel parameters

Parameter Explanation

on Start acceleration.

off Stop acceleration.

stat Display the acceleration device status and the status of

the Connection Templates on the local VPN-1 Pro

module.

stats Displays acceleration statistics.


16/25

cpconfig

16 August 2005

cpconfig

Check Point products are configured using the cpconfig utility. When run, this utility

displays a screen with the configuration options. The options that are displayed, depend

on the installed configuration and product(s). You can use cpconfig to enable or disablePerformance Pack. Once you have selected an acceleration setting, the setting remains

configured, until you choose to change it on another occasion. In other words, the

settings that you define will remain even after the machine is rebooted. For an

alternative method to enable or disable acceleration, see fwaccel on page 15.

Usage

Execute cpconfig by entering the following command:cpconfig

An interactive menu will be displayed providing you with the option to enable or

disable the acceleration by selecting Enable/Disable Check Point SecureXL. Select

Enable in order to enable acceleration. Select Disable in order to disable acceleration.

sim The sim utility controls various Performance Pack NGX R60 driver features and appliesonly for SecurePlatform.

Usagesim affinity [-a|-s|-l]

stats -s Displays more summarized statistics information.conns Displays all connections.

conns -s Displays the number of connections currently defined

in the accelerator.

templates Display all connection templates.

templates -max_entries Display up to max_entries connection templates.

templates -s Display the number of templates currently defined in

the accelerator.

TABLE 3-1 fwaccel parameters



17/25

Chapter 3 Command Line 17

Parameters

Affinity is a general term for binding Network Interface Card (NIC) interrupts to

processors. By default, SecurePlatform does not set Affinity to the NIC interrupts,

which means that each NIC is handled by all processors. Optimal network performanceis obtained when each NIC is individually bound to a single processor. To achieve the

above, the sim utility includes an Affinity feature, which has the following operation

modes:

proc entries

Performance Pack supports SecurePlatform proc entries. These entries are used to

display information about the Performance Pack.

The proc entries are read-only entries. They cannot be configured. The proc entries are

located under/proc/ppk

.

Usagecat /proc/ppk/[conf|ifs|statistics]

TABLE 3-2 sim Affinity operation modes

Option Explanation

-a Automatic Mode the Affinity is determined automatically, by analyzing

the load on each NIC. If the NICs are not loaded, the Affinity will not

be set. This is the default Affinity operation mode, in which the Affinity

is re-tuned every 60 seconds.

-s Manual Mode allows you to manually specify the Affinity settings. For

each interface, you will be asked to enter one of the following: A space-separated list of the processor numbers that are to handle this

interface, or

The word all, to allow all processors to handle this interface.

When setting the Affinity manually, the periodic automatic check will

be disabled. After booting, it will remain disabled and the Affinity

settings entered manually will be applied.

-l View a list of the current Affinity settings.


18/25

proc entries

18 August 2005

Parameters

TABLE 3-3 /proc Parameters


conf Displays the Performance Pack Configuration.

ifs Lists the interfaces to which Performance Pack is attached.

statistics Displays general Performance Pack statistics.


19/25

19

Appendix A

Performance Tuningand Measurement Hints

In This Appendix

Performance Tuning

SYN Defender

To obtain optimal TCP connection setup rate performance, verify that the SYN

Defender method specified in the SmartDefense is set to None (default).

Amount of Concurrent Connections and Hash Size

Setting the Maximal Concurrent Connections

To set the desired number of maximal concurrent connections, open

SmartDashboards Gateway Object Properties window and proceed as follows:

1 Open the Capacity Optimization tab. Make sure that Calculate connections hashtable size and memory pool is set to Automatically.

2 Set the desired amount of concurrent connections in the Maximum Concurrent

Connections field.

Increasing the Number of Concurrent Connections

You can increase the actual number of concurrent connections by reducing the

timeout of TCP and UDP sessions:

Performance Tuning page 19

Performance Measurement page 23


20/25

20 August 2005

TCP end timeout determines the amount of time a TCP connection will stay in

the FireWall connection table after a TCP session has ended.

UDP virtual session timeout determines the amount of time a UDP connection

will stay in the FireWall connection table after the last UDP packet was seen by thegateway.

By reducing the above values, the capacity of actual TCP and UDP connections is

increased.

Implied Rules

In order to set the optimal connection/sec rate, proceed as follows:

1 Select Global Properties from the Policy menu.

2 Select FireWall-1 in the Global Properties tree.

3 Uncheck the following options: Accept RIP

Accept Domain Name over UDP (Queries)

Accept Domain Name over TCP (Zone Transfer) Accept ICMP requests

HyperThreading

HyperThreading applies only to SecurePlatform.

HyperThreading is a feature of some Intel processors that enables emulation of two

virtual processors by a single physical processor. This feature increases the performance

under certain conditions.

Machines with Xeon processors have a BIOS option that may allow enabling or

disabling HyperThreading, under the following circumstances:

If the number of network interfaces is less than the actual physical number of

processors (i.e. two network interfaces and three processors), it is recommended to

enableHyperThreading.

If the number of network interfaces is equal to or greater than the actual physicalnumber of processors (i.e. two network interfaces and two processors), it is

recommended to disable HyperThreading.

If cryptography is used extensively, HyperThreading should be enabled.


21/25

Appendix A Performance Tuning and Measurement Hints 21

Connection Templates

General

Connection templates are generated from active connections according to the policyrules. The connection template feature accelerates the speed at which a connection is

established by matching a new connection to a set of attributes. When a new

connection matches the template, connections are established without performing a rule

match and therefore are accelerated. Connection templates are generated from active

connections according to policy rules. Currently, connection template acceleration is

performed only on connections with the same destination port.

Examples:

A connection from 10.0.0.1/2000 to 11.0.0.1/80 established through Firewall

and then accelerated.

A connection from 10.0.0.1/2001 to 11.0.0.1/80 fully accelerated (including

connection establishment).

A connection from 10.0.0.1/8000 to 11.0.0.1/80 fully accelerated (including

connection establishment).HTTP GET requests to specific server will be accelerated since the connection has the

same source IP address.

Restrictions

In general, Connections Templates will be created only for plain UDP or TCP

connections. The following restrictions apply for Connection Template generation:

Global restrictions:

SYN Defender Connection Templates for TCP connections will not be created.

NAT connections.

VPN connections.

Complex connections (H323, FTP, SQL).

NetQuotas.

ISN Spoofing.

If the Rule Base contains a rule regarding one of the following component, the

Connection Templates will be disabled for connections matching this rule, and for all of

the following rules:

Security Server connections.

Services with source port range.

Time objects in the rules.


22/25

22 August 2005

Dynamic Objects and/or Domain Objects.

Services of type other with a match expression.

User/Client/Session Authentication actions.

Services of type RPC/DCERPC/DCOM.

When installing a policy containing restricted rules, you will receive console messages

indicating that Connection Templates will not be created due to the rules that have

been defined. The warnings should be used as a recommendation that will assist you to

fine-tune your policy in order to optimize performance.

Testing

To verify that connection templates are enabled, use the fwaccel stat command. To

verify that connection templates are generated, use fwacceltemplates. This should be

done while traffic is running, in order to obtain a list of currently defined templates.

Delayed Synchronization

The synchronization mechanism guarantees High Availability. In a cluster configuration,

if one cluster member fails, the other recognizes the connection failure and takes over,so the user does not experience any connectivity issue. However, there is an overhead

per synchronized operation, which can occasionally cause a system slow-down when

there are short sessions.

Delayed synchronization is a mechanism based upon the duration of the connection,

with the duration itself used to determine whether or not to perform synchronization.

A time range can be defined per service. The time range indicates that connections

terminated before a specified expiration time will not be synchronized. As a result,

synchronized traffic is reduced and overall performance increases. Delayed

Synchronization is performed only for connections matching a connection template.

Configuration

Currently, delayed synchronization is allowed only for services of type HTTP or None.

In order to configure delayed synchronization, proceed as follows:

1 In SmartDashboard, right click on the Service tab.

2 Either edit an existing service or click New and select TCP. The TCP service

properties window is shown.

3 After defining TCP parameters, click Advanced in the TCP service properties

window. The Advanced TCP Service Properties window is shown.

4 Select the HTTP orNone protocol from the Protocol Type list.


23/25

Appendix A Performance Tuning and Measurement Hints 23

5 Check Start synchronizing.

6 Define the duration value Seconds after connection initiation. The duration value is

specified in seconds.

Performance Measurement

TCP State and Benchmarking

Certain testing applications (SmartBits or Chariot) generate invalid TCP sequences.

The VPN-1 Pro modules TCP state check detects these faulty sequences, and drops the

packets. As a result, the benchmark fails. Since these TCP sequences are invalid, theymay affect overall Firewall performance.

To disable this type of TCP state check, perform the following operations on the

SmartCenter Server:

1 Select the Smart Defense tab in the SmartDashboard.

2 Click the TCP object under Network Security.

3 In the TCP window, disable Sequence Verifier.

4 Install the Policy from SmartDashboard in order to apply the changes.


24/25

24 August 2005


25/25

25

Index

Aacceleration device status 15Affinity settings 17

CCommand Line 15

fwaccel 15Concurrent Connections

and Hash Size 19Increasing Number 19

TCP end timeout 20UDP virtual session timeout 20Connection Templates 21

Configuration 22Delayed Synchronization 22policy rules 21Restrictions 21Testing 22

cpconfig 16Command Usage 16

Ffwaccel 15, 22

Command Usage 15

HHyperThreading 20

IImplied Rules 20Installation

BIOS settings 13

Compaq ML530 DualProcessor 12

Compaq Proliant DualProcessor 12

Dell precision 530 Dual

Processor 12IBM 330, 340 & 343 Dual

Processor 12Network Interface Cards

location 13Platforms 12SunBlade 1000 12SunFire V210/V240 12SunFire V480 12Super Micro SuperServer

6022P-6 Dual Processor 12

MMaximal Concurrent

Connections 19

NNAT 9

P

Performance Measurement 23Benchmarking 23TCP State 23

Performance Tuning 19proc 17proc entries 17

Command Parameters 18

RRecommended Platforms 12

Ssim 16SIM Affinity

Automatic Mode 17Manual Mode 17

SYN Defender 19System Requirements

CPU 11Disk Space 11Memory 11Minimum 11Network Interfaces 12Operating Systems 11

TTCP end timeout 20TCP State and Benchmarking 23

UUDP virtual session timeout 20

XXeon processors 20

Checkpoint NGX Performance Pack User Guide

Documents

Transcript of Checkpoint NGX Performance Pack User Guide