Skalowanie wydajności, konfiguracje ClusterXL i CoreXL

Download Report

Transcript Skalowanie wydajności, konfiguracje ClusterXL i CoreXL 

Skalowanie wydajności, konfiguracje
ClusterXL, SecureXL i CoreXL
J. Prokop
Check Point
©2009 Check Point Software Technologies Ltd. All rights reserved.
[Unrestricted]—For everyone
Skalowanie wydajności oprogramowania
Trzy produkty kategorii „XL”:
 ClusterXL: łączenie urządzeń w klastry
– ClusterXL LS for VPN-1 and Connectra
– ClusterXL VSLS for VSX VSLS
– Nokia IP Clustering, Crossbeam X80 itp
 SecureXL (Accelerated Path)
– Hardware: (Nokia) ADP
– Software:
» Performance Pack (SecurePlatform, Crossbeam XOS)
» IPSO SecureXL implementation („fastpath”, SecureXL)
 CoreXL: wielordzeniowa implementacja Firewall Path / Middle
Path
©2009 Check Point Software Technologies Ltd. All rights reserved.
[Unrestricted]—For everyone
2
Cluster XL
Cele klastrowania urzadzeń:
 Zwiększenie niezawodności
 Zwiększenie wydajności
©2009 Check Point Software Technologies Ltd. All rights reserved.
[Unrestricted]—For everyone
3
Cluster XL
Problemy rozwiązywane przy klastrowaniu:
- Sieć (adresy MAC, IP)
- Synchronizacja (asynchroniczny routing pakietów, krótkotrwałe
sesje,
sposoby
dzielenia
sesji między węzłami)
[Unrestricted]—For everyone
©2009 Check
Point Software
Technologies Ltd. All
rights reserved.
4
Cluster XL z ograniczoną liczbą adresów IP
©2009 Check Point Software Technologies Ltd. All rights reserved.
[Unrestricted]—For everyone
5
Accelerated Path (brak „wzorca” –
template)
Core #...
FW
Path
Core #4
Medium
Path
FW
Path
Queue
Core #...
Medium
Path
FW
Path
Queue
Medium
Path
Queue
Core #0
Core #1
Secure Dispatcher
Secure Dispatcher
Performance Pack
Performance Pack
eth0
eth1
Syn
SynAck + subsequent S2C packets
Subsequent C2S packets
©2009 Check Point Software Technologies Ltd. All rights reserved.
[Unrestricted]—For everyone
6
Accelerated Path (ze „wzorcem” – template)
Core #...
FW
Path
Core #4
Medium
Path
FW
Path
Queue
Core #...
Medium
Path
FW
Path
Queue
Medium
Path
Queue
Core #0
Core #1
Secure Dispatcher
Secure Dispatcher
Performance Pack
Performance Pack
eth0
eth1
Syn + subsequent C2S packets
SynAck + subsequent S2C packets
©2009 Check Point Software Technologies Ltd. All rights reserved.
[Unrestricted]—For everyone
7
Medium Path – IPS Traffic
Core #...
FW
Path
Core #4
Medium
Path
FW
Path
Queue
Core #...
Medium
Path
FW
Path
Queue
Medium
Path
Queue
Core #0
Core #1
Secure Dispatcher
Secure Dispatcher
Performance Pack
Performance Pack
eth0
eth1
Syn + subsequent C2S packets
SynAck + subsequent S2C packets
©2009 Check Point Software Technologies Ltd. All rights reserved.
[Unrestricted]—For everyone
8
Monitorowanie CoreXL
Funkcja hash rozdzielająca sesje pomiędzy instancjami (rdzeniami):




Source IP address
Destination IP address
Destination TCP/UDP port
IP protocol number
VoIP i IPSec : zawsze na instancji „0” !
©2009 Check Point Software Technologies Ltd. All rights reserved.
Nie ma tu portu źródłowego:
•
konserwatywna, słabo rozrzucająca
funkcja
Jeżeli grupa klientów pracuje za
translatorem adresów na pojedynczym
serwerze to wszyscy będą przetwarzani na
tym samym rdzeniu.
[Unrestricted]—For everyone
9
Monitorowanie ścieżek pakietów:
accelerated / firewall / medium
# fwaccel stat
SXL on/off
Templates enabled? Disabled after rule # X ?
# fwaccel stats
Firewall path: F2F
Accelerated path: accel
Medium path: PXL (* dopiero od wersji R70 *)
# fwaccel conns
C2S, S2C: client2server, server2client
flaga „F” : firewall, connection not accelerated
# fwaccel templates
©2009 Check Point Software Technologies Ltd. All rights reserved.
[Unrestricted]—For everyone
10
# fwaccel stats
[Expert@cpmodule]# fwaccel stats
Name
Value
-------------------- --------------conns created
7136
temporary conns
0
nat conns
0
accel bytes
7559714608
ESP enc pkts
0
ESP dec pkts
0
ESP other err
0
espudp enc err
0
espudp dec err
0
AH enc pkts
0
AH dec pkts
0
AH other err
0
free memory
0
current total conns
22
conns from templates
3999624
delayed TCP conns
0
delayed nonTCP conns
0
F2F bytes
493868773
enc bytes
0
partial conns
0
dropped packets
1498945
nat templates
0
conns from nat tmpl
0
port alloc f2f
0
PXL conns
5
PXL bytes
34254
©2009 Check Point Software Technologies Ltd. All rights reserved.
Name
-------------------conns deleted
templates
accel packets
F2F packets
ESP enc err
ESP dec err
espudp enc pkts
espudp dec pkts
espudp other err
FW
path
AH enc
err
AH dec err
memory used
acct update interval
TCP violations
TCP conns
non TCP conns
F2F conns
crypt conns
dec bytes
anticipated conns
dropped bytes
port alloc templates
port alloc conns
PXL templates
PXL packets
PXL async packets
Value
--------------5969
10
32044625
7319991
0
0
0
0
0
0
0
0
3600
8
12
10
2
0
0
0
143185454
0
0
5
126
126
[Unrestricted]—For everyone
11
# fwaccel stats
[Expert@cpmodule]# fwaccel stats
Name
Value
Name
-------------------- ---------------------------------conns created
7136
conns deleted
temporary conns
0
templates
nat conns
0
accel packets
accel bytes
7559714608
F2F packets
ESP enc pkts
0
ESP enc err
ESP dec pkts
0
ESP dec err
ESP other err
0
espudp enc pkts
espudp enc err
0
espudp dec pkts
Accelerated
path
espudp dec err
0
espudp other err
AH enc pkts
0
AH enc err
(SecureXL)
AH dec pkts
0
AH dec err
AH other err
0
memory used
free memory
0
acct update interval
current total conns
22
TCP violations
conns from templates
3999624
TCP conns
delayed TCP conns
0
non TCP conns
delayed nonTCP conns
0
F2F conns
F2F bytes
493868773
crypt conns
enc bytes
0
dec bytes
partial conns
0
anticipated conns
dropped packets
1498945
dropped bytes
nat templates
0
port alloc templates
conns from nat tmpl
0
port alloc conns
port alloc f2f
0
PXL templates
PXL conns
5
PXL packets
PXL bytes
34254
PXL async packets
©2009 Check Point Software Technologies Ltd. All rights reserved.
Value
--------------5969
10
32044625
7319991
0
0
0
0
0
0
0
0
3600
8
12
10
2
0
0
0
143185454
0
0
5
126
126
[Unrestricted]—For everyone
12
# fwaccel stats
[Expert@cpmodule]# fwaccel stats
Name
Value
-------------------- --------------conns created
7136
temporary conns
0
nat conns
0
accel bytes
7559714608
ESP enc pkts
0
ESP dec pkts
0
ESP other err
0
espudp enc err
0
espudp dec err
0
AH enc pkts
0
AH dec pkts
0
AH other err
0
free memory
0
current total conns
22
conns from templates
3999624
delayed TCP conns
0
delayed nonTCP conns
0
Medium path
F2F bytes
493868773
(IPS)
enc bytes
0
partial conns
0
dropped packets
1498945
nat templates
0
conns from nat tmpl
0
port alloc f2f
0
PXL conns
5
PXL bytes
34254
©2009 Check Point Software Technologies Ltd. All rights reserved.
Name
-------------------conns deleted
templates
accel packets
F2F packets
ESP enc err
ESP dec err
espudp enc pkts
espudp dec pkts
espudp other err
AH enc err
AH dec err
memory used
acct update interval
TCP violations
TCP conns
non TCP conns
F2F conns
crypt conns
dec bytes
anticipated conns
dropped bytes
port alloc templates
port alloc conns
PXL templates
PXL packets
PXL async packets
Value
--------------5969
10
32044625
7319991
0
0
0
0
0
0
0
Middle Path pojawia
się
0
w R70 do obsługi
3600 nowego
8 statystyk
IPS (nie ma tych
12
R65)
10
2
0
0
0
143185454
0
0
5
126
126
w
[Unrestricted]—For everyone
13
Konfiguracja CoreXL/SecureXL: cpconfig
[CP-R70]# cpconfig
This program will let you re-configure
your Check Point products configuration.
Configuration Options:
---------------------(1) Licenses and contracts
(2) Administrator
(3) GUI Clients
(4) SNMP Extension
(5) PKCS#11 Token
(6) Random Pool
(7) Certificate Authority
(8) Certificate's Fingerprint
(9) Disable Advanced Routing
(10) Disable Check Point SecureXL
(11) Configure Check Point CoreXL
(12) Automatic start of Check Point Products
(13) Exit
Enter your choice (1-13) :
©2009 Check Point Software Technologies Ltd. All rights reserved.
[Unrestricted]—For everyone
14
Monitorowanie konfiguracji wielordzeniowej
za pomocą ” top ”
©2009 Check Point Software Technologies Ltd. All rights reserved.
[Unrestricted]—For everyone
15
Które rdzenie obsługują interfejsy sieciowe
(affinity) ?
Affinity interfejsów sieciowych jest podzielone
pomiędzy CPU na których działa SND
(Secure Network Dispatcher)
©2009 Check Point Software Technologies Ltd. All rights reserved.
[Unrestricted]—For everyone
16
„ fwpprof ” : analiza
# ./fwpprof
Data collection stopped after 0 minutes and 53 seconds.
Analyzing results...
Performance Statistics:
---------------------------------------------------------------CPU
Component
Average load
Maximal load
---------------------------------------------------------------0
N/A
17%
20%
1
N/A
0%
2%
2
fw_5
21%
24%
3
fw_4
22%
25%
4
fw_3
22%
24%
5
fw_2
0%
2%
6
fw_1
8%
9%
7
fw_0
15%
17%
---------------------------------------------------------------Current core optimization grade: 62%
©2009 Check Point Software Technologies Ltd. All rights reserved.
[Unrestricted]—For everyone
17
„ fwpprof ” : zalecenia konfiguracyjne
Recommended configuration:
-----------------------------------------------------CPU
Component
-----------------------------------------------------0
Network
|-Sync
......
|-Mgmt
|-Lan1
.......
|-Lan8
1
fw_6
2
fw_5
3
fw_4
4
fw_3
5
fw_2
6
fw_1
7
fw_0
-----------------------------------------------------VPN and VoIP traffic percentage 0%
-----------------------------------------------------Expected optimization grade following recommended changes: 68%
Summary of recommendations:
1. Increase number of active instances from 6 to 7
©2009 Check Point Software Technologies Ltd. All rights reserved.
[Unrestricted]—For everyone
18
Podsumowanie i tematy ciekawych rozważań
związanych z wydajnością
CoreXL jest częścią każdej instalacji wielordzeniowej
(nie wymaga dodatkowej licencji).
CoreXL:
– R65: przerwania (SPLAT kernel 2.4 / 2.6)
– R70: przerwania, konfigurowalna liczba instancji, fwpprof,
możliwość ignorowania procesorów
©2009 Check Point Software Technologies Ltd. All rights reserved.
[Unrestricted]—For everyone
19
Dziękuję za uwagę!
©2009 Check Point Software Technologies Ltd. All rights reserved.
[Unrestricted]—For everyone
20