156-315.81.20 Performance Tuning

Performance Tuning Detailed Explanation

This guide provides a detailed explanation of Performance Tuning, focusing on SecureXL, CoreXL, advanced routing, QoS, and resource management.

Key Objective 1: SecureXL and CoreXL Optimization

What is SecureXL?

SecureXL is a hardware acceleration technology that offloads certain traffic-processing tasks from the firewall software to specialized hardware, improving overall performance.

Understanding SecureXL for Hardware-Based Acceleration

1. Purpose of SecureXL:

   • Accelerates traffic flows, reducing latency and increasing throughput.
   • Handles "fast-path" traffic, such as established connections, while "slow-path" traffic requiring inspection is handled by the firewall.

2. How SecureXL Works:

   • SecureXL processes packet flows directly on the network card, bypassing the CPU for eligible traffic.
   • Examples of accelerated traffic:
     • Stateless traffic (e.g., UDP, ICMP).
     • Pre-inspected HTTPS sessions.

3. Enabling SecureXL:

   • SecureXL is enabled by default on most Check Point gateways.
   • Verify using the command: fwaccel stat.
     • Output will show whether SecureXL is enabled and the number of accelerated connections.

4. Troubleshooting SecureXL:

   • Use fwaccel stats to view detailed acceleration statistics.
   • If performance issues persist, ensure SecureXL rules match traffic flows.

What is CoreXL?

CoreXL optimizes multi-core CPUs by distributing traffic processing across multiple cores, enhancing firewall and VPN performance.

Configuring CoreXL for Multi-Core Optimization

1. Purpose of CoreXL:

   • Prevents traffic bottlenecks by utilizing multiple CPU cores for parallel traffic processing.
   • Each core acts as a Firewall Worker handling connections.

2. Steps to Enable CoreXL:

   • Check the number of available cores using fw ctl affinity -l.
   • Enable CoreXL during gateway installation or via cpconfig.
   • Restart the gateway for changes to take effect.

3. Optimizing CoreXL:

   • Assign cores to specific roles:
     • Some for firewall processing.
     • Others for VPN decryption/encryption.
   • Use SmartConsole to monitor core utilization and adjust as needed.

4. Testing CoreXL Configuration:

   • Simulate high traffic and observe core usage using top or htop.
   • Ensure traffic is evenly distributed across cores.

Key Objective 2: Advanced Routing Optimization

Fine-Tuning OSPF and BGP Configurations

1. Optimizing OSPF:

   • Configure OSPF areas to reduce routing table size and improve convergence times.
   • Adjust OSPF timers:
     • Decrease hello intervals for faster failure detection.
   • Ensure link priorities are set to avoid suboptimal routing paths.

2. Optimizing BGP:

   • Apply route filters to limit unnecessary prefixes.
   • Use path-prepending or MED (Multi-Exit Discriminator) to control inbound/outbound traffic paths.
   • Enable route aggregation to reduce routing table size.

Configuring Policy-Based Routing (PBR) for Critical Applications

1. What is Policy-Based Routing?

   • PBR allows you to route traffic based on policies rather than traditional destination-based routing.

2. Steps to Configure PBR:

   • In SmartConsole, create a PBR rule:
     • Match criteria: Source, destination, or service.
     • Action: Route traffic through a specific next-hop gateway.
   • Apply the rule to the desired gateway.

3. Example Use Case:

   • Route video conferencing traffic through a high-bandwidth link while sending less critical traffic through a secondary link.

Key Objective 3: Traffic Shaping and QoS

Implementing Quality of Service (QoS) to Prioritize Traffic

1. What is QoS?

   • QoS prioritizes critical traffic, ensuring that high-priority services like VoIP or video conferencing are not affected by lower-priority traffic.

2. How to Configure QoS:

   • Enable the QoS Blade in SmartConsole.
   • Define bandwidth guarantees and limits for specific traffic types:
     • Example: Guarantee 10 Mbps for VoIP.

3. Testing QoS:

   • Simulate high traffic loads and verify that priority traffic (e.g., VoIP) remains unaffected.

Configuring Bandwidth Limits for Non-Essential Traffic

1. Steps to Limit Bandwidth:

   • Create a QoS policy for non-essential traffic (e.g., social media or streaming).
   • Assign a bandwidth cap:
     • Example: Limit Facebook traffic to 2 Mbps.

2. Benefits:

   • Frees up bandwidth for critical business applications.
   • Prevents non-business traffic from overwhelming the network.

Key Objective 4: Gateway Resource Management

Monitoring CPU, Memory, and Disk Usage

1. Tools for Monitoring:

   • Use SmartConsole to monitor gateway resource usage in real-time.
   • CLI Commands:
     • top or htop for CPU and memory.
     • df -h for disk space.

2. Identifying Bottlenecks:

   • High CPU usage: Investigate traffic patterns and ensure CoreXL is properly configured.
   • Memory issues: Check for large state tables or misconfigured logging.
   • Disk issues: Rotate logs or increase disk storage for logs.

Resolving Resource Bottlenecks

1. CPU Bottlenecks:

   • Enable SecureXL to offload traffic processing.
   • Redistribute cores using CoreXL.

2. Memory Bottlenecks:

   • Review large connection tables using fw tab -t connections -s.
   • Optimize policies to reduce rule complexity.

3. Disk Bottlenecks:

   • Enable log rotation to archive old logs.
   • Forward logs to an external server to free up space.

Advanced Considerations

Ensuring Smooth Performance During Peak Traffic Times

1. Scaling:

   • Add additional gateways to distribute traffic.
   • Use clustering (e.g., ClusterXL) for high availability and load balancing.

2. Traffic Prioritization:

   • Configure QoS to ensure critical applications remain unaffected during spikes.

Configuring Load Balancing for Distributed Environments

1. What is Load Balancing?

   • Distributes traffic across multiple gateways or links to prevent bottlenecks.

2. How to Configure:

   • Use Check Point’s ClusterXL in Active/Active mode.
   • Enable link aggregation for gateway interfaces.

3. Testing Load Balancing:

   • Simulate traffic from multiple clients to ensure even distribution across gateways.

Performance Tuning (Additional Content)

Key Objective 1: SecureXL and CoreXL Optimization

What Traffic is Not Accelerated by SecureXL?

While SecureXL accelerates most traffic via the "fast path," there are specific exceptions that force traffic into the slow path, which uses the full kernel inspection path:

• Encrypted traffic requiring decryption (e.g., HTTPS Inspection, IPsec VPN).
• Application Layer inspections:
  • IPS protections requiring full context inspection.
  • Deep content scanning such as Antivirus or Anti-Bot.
• NATed traffic with complex rules or overlapping subnets.
• VoIP with dynamic ports, depending on configuration.

Exam Tip: You may be asked which of the following cannot be accelerated by SecureXL — the correct choices will usually involve SSL Inspection, Threat Prevention, or IPS signatures that require payload parsing.

VPN Acceleration with SecureXL

• VPN traffic is not accelerated by default through SecureXL.
• To enable it, you must:
  • Use SecureXL VPN acceleration with hardware support.
  • Check the configuration using fwaccel stat and vpn accel status.

In the exam, you may encounter a question like: “Why is VPN traffic not being accelerated by SecureXL?” — correct answer: VPN acceleration not enabled or unsupported by hardware.

Key Objective 2: Advanced Routing Optimization

Policy-Based Routing (PBR) Limitations

• PBR matches only on pre-NAT attributes, such as:
  • Source IP
  • Destination IP
  • Service
• PBR cannot match on post-NAT addresses or ports.
• This often appears in trap questions where you are given NAT rules and PBR conflicts.

PBR vs. Traditional Routing – Quick Comparison Table

Feature	Traditional Routing	Policy-Based Routing (PBR)
Matching Criteria	Destination IP only	Source + Destination + Service
NAT Compatibility	Full compatibility	Limited — matches pre-NAT only
Use Case	General routing decisions	Specific application-based routing
Flexibility	Lower	Higher, but with complexity
Configuration Location	CLI or Gaia Portal	SmartConsole (Policy > PBR Rules)

Key Objective 3: Traffic Shaping and QoS

QoS is Priority Queueing, Not Just Bandwidth Capping

Check Point QoS uses Priority Queues to ensure more granular control over network performance:

• Weight-Based Fair Queueing (WFQ) or Strict Priority Queueing can be selected.
• You can assign:
  • Guaranteed bandwidth
  • Maximum bandwidth
  • Priority level (e.g., VoIP = High, Social Media = Low)

Tip: QoS does not simply throttle traffic — it prioritizes it relative to available bandwidth.

Performance Overhead of QoS Policies

• More complex match conditions (e.g., matching applications + user + service) increase processing time.
• Always monitor CPU impact when applying granular QoS rules across high-traffic interfaces.

Key Objective 4: Gateway Resource Management

Example: Log Server Crash Due to Disk Issues

One real-world scenario:

• The Log Server stops receiving logs.
• Investigation reveals:
  • Disk is full due to lack of log rotation.
  • No alert was configured for disk usage.

Solution:

• Enable automatic log rotation and forwarding.
• Use df -h or SmartConsole system view to monitor disk status.

SmartConsole Resource Monitoring: Key Metrics to Watch

• CPU Idle < 10%: System under stress — may lead to dropped connections or high latency.
• Memory Usage > 85%: Could lead to swapping, policy push failures, or daemon crashes.
• Log Queue Size: Indicates potential backlog or disk performance issues.
• Number of Concurrent Connections: Compare with system’s max (fw tab -t connections -s).

Advanced Considerations

Link Aggregation (LAG) Uses LACP (802.3ad)

• Check Point supports LACP-based link aggregation, ideal for:
  • High-availability interfaces
  • Load-sharing outbound traffic
• Switch-side configuration must match LACP mode.

CLI Command to verify:
cphaprob -a if (shows bond interface health)

Testing Load Balancing with iPerf

• iPerf3 is commonly used to simulate high traffic loads.
• Run multiple parallel streams to test:
  • Load distribution across interfaces or gateways.
  • Effectiveness of ClusterXL load-sharing in Active/Active mode.

Example command:

iperf3 -c <target-IP> -P 20

This opens 20 parallel connections.

Summary Table of Key Enhancements

Topic Area	Supplementary Insight
SecureXL Limitations	Encrypted, content-inspected traffic falls to slow path
VPN Acceleration	Disabled by default; requires hardware and explicit configuration
PBR Limitations	Only matches pre-NAT traffic
PBR vs. Routing Table	PBR = granular, pre-NAT, service-aware; Routing = destination-only
QoS Architecture	Priority queueing, not simple bandwidth cap
QoS Policy Complexity Impact	More conditions = more processing overhead
Disk Space Example	Log crash due to full disk; solved by enabling log rotation
SmartConsole Alerts	CPU idle < 10%, high RAM, or log queue backlog = indicators of degradation
Link Aggregation	LACP (802.3ad) support; requires switch cooperation
Load Testing Tools	iPerf3 used to simulate and monitor performance/load balancing