I've several Checkpoint firewalls running on the following boxes:
Sun 220R with 512 Mbyte RAM, 9 Gb HD, 1 quad FE, Solaris 8 64 bit
All the systems are running with stonebeat fullcluster 3.0 in hot-standby configuration and Checkpoint NG AI R55.
During high traffic condition I found that they can reach a maximum bandwith of
40 mbps before the CPU goes to 100% (obviously in that condition a failover would result in a complete crash of both systems). During some tests i've reached a limit of 75 mbps with a couple of http downloads (so not a lot of simultaneous sessions but pure bandwith limit due to massive file transfer).
No, this isn't typical behaviour. I've run on the same hardware myself with no such problems in the past. There's a lot of details lacking, but consider some of the following:
-Do you have many or most of the Solaris services running? (e.g. much of rc3.d starting up? and/or the inetd.conf services?) - Do a 'top' and see which processes are taking the lion's share of the processor. You can get top (if you don't already have it) at sunfreeware.com
Do you have a lot of the 'SmartDefense' protections enabled? Open your SmartConsole (the GUI) and click the SmartDefense tab. Look to see what is, and isn't checked. If many of those are checked, you can tune some of this down, particularly 'TCP Fingerprint Scrambling' and 'Header spoofing,' if applicable.
-There's a few kernel tweaks you can do, but they tend to have more to do with memory use...
Well, running Check Point on a Sun box was a 'choice,' as Check Point is OEM'ed on several 'appliance' solutions (e.g. Crossbeam, Nokia) that don't require separate patch trains for OS and Firewall application, and if one runs Check Point on 'SPLAT' (short for SecurePlatform) it too is patched as an appliance, rather than a 'separate' OS.
I myself would prefer a firewall with a dominant marketshare (as there's likely to be a reason for that dominance) rather than a niche player with limited scalability, and which is essentially packaged
*freeware* like a Sidewinder. If I'm going to pay money, it's sure not going to be for something that should be free...
First off, Check Point is EAL4 'augmented' Medium Robustness (aka 'PP') as well, albeit the latest version is 'in-process' (which is understandable since the process can take a bit and they just released this mid 05), take another look at NIAP's site. Not that certifications from a government agency should mean something to a user in and of themselves.
As for your question, I think it misses the point entirely. There's probably a reason sidewinders aren't trusted as pervasively across the industry, because they're niche, they're an 'also-ran', and and they haven't done anything innovative as a company. check point brought stateful inspection to market(!!), and they were first to market with 'deep inspection'. That's the point, they innovate, and others play 'catch-up' and merely drop the price because it took no R&D on their part. Security isn't a product, much less a cloned one, it's a process and requires people to *think* about security and develop countermeasures, not say 'me too'.
I've checked my firewall configurations and the smartdefense settings are stripped to the core. There are also few services running on the box so it doesn't seem a problem related to the number of active processes.
I've tested the box with a simple http transfer of a big file from an http server. Actually HTTP connections are enabled at the 1st rule and the firewall has less than 10 active sessions. Immediately after starting the transfer the CPU load goes up to 100% while the transfer settle for 8 mbytes/s transfer rate. If I try to start other transfer as well I get only up to 9 mbytes/s of aggregate bandwith. I've also checked the NIC status and they are all cofigured at 100 mbit Full Duplex.
Here is the result from Stonebeat Fullcluster command line end VMSTAT.
Gosh, that is odd, the good news is that it's probably not smartdefense!...you didn't configure http with a 'resource' did you? (e.g. in the services field in the rulebase it just says http instead of 'http->somename')
I suspect a couple things here. One is that there could be a hotfix available for this symptomology, check out secureknowledge and do a search. Are you on R55 (or 'W') or R54?
The other thing is that, prior to NGX (R60) much of the http inspection was done by the http security server (and thus was user mode), instead of in the kernel. An upgrade might fix this if there's no hotfix (though i suspect there is), but you'd have to consider that it would most likely require a solaris upgrade :(
Let me know what happens with 'top' and we'll take it to the next step with testing some solaris kernel variables.
"I will give it a try. I've also found this paper on checkpoint site:
I've tested some settings but got no result.
Be sure not to change that autoup setting friend! You're running stonebeat, and the autoup kernel var isn't support in situations where you're using a 3rd party HA.
Also, have you tried breaking the HA pair and renaming stonebeat's startup script so it doesn't start, and just try running a single firewall with no stonebeat, to see if it's the CP itself, or the stonebeat HA?
I have to ask, because I've had such bad experiences with Stonebeat in the past on solaris.