上海联通防火墙和管理服务器优化建议

©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals联通火墙系统优化建议22©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|目标主题是:火墙系统全方位的性能调优如何做到这一点33©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|Structure问题定义真实案例防火墙加速功能策略优化影响防火墙性能的功能选项44©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|如何让我们的防火墙运行的更好?什么是更好?更快更有效率更加冗余更加安全55©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|优化防火墙为什么我们需要首先做火墙优化?我们真正需要去优化火墙吗?!如何知道我们真正需要?66©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|Hey,我有麻烦了更高的CPU利用率更高的内存利用率策略下发耗费了太长的时间并发会话增长太快导致防火墙性能紧张77©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|当业务不断增长后更多的特征–更多CPU利用率88©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|某客户案例该客户当前有策略1500(!)并且还在增长中.策略下发用掉了将近20分钟，每天他们需要下发10次策略，这真的很痛苦。99©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|客户案例(2)该客户有350条策略，对外的访问占用了65%的速度，CPU通常在40-60%.通过分析显示他们最常用的策略是从第275条开始。1010©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|不容易的事情复杂的任务这是持续不断的过程–不是一次性用品!有很多不同的参数每一种环境的情况也是特殊的!所以没有已经存在的固定解决方案来解决问题。1111©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|每一种环境确实特殊!流量特征服务器和服务网络拓扑公司内部的策略合作伙伴的策略管理员的风格等1212©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|我们的讨论主题网络设计安全实施设计硬件FWandVPN策略ClusteringAccelerationforFWandVPN我们将讨论所有这些主题©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals从…头开始我们从零开始构架我们的安全基础1414©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|Agenda硬件拓扑操作系统FW版本选择补丁和更新Clustering影响性能的因素和特征1515©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|硬件硬件的选项:处理器,最快的,至少一个主板内存网卡PCI总线–这很重要!硬件加速卡1616©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|防火墙部署分布式部署配置单独的日志模块OS–明智的选择系统WindowsLinuxSolarisSPLATIPSO给OS打上最新的补丁1717©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|防火墙部署(2)备份管理服务器/或者logservers:专用管理网段:管理网段同生产网段隔离FW版本选择安装最新的补丁是必须的!1818©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|防火墙部署(3)Clustering:我们有使用吗?Cluster模式:HighavailabilityLoadsharingHA模式对性能的影响，因为他需要消耗资源用于同步。1919©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|防火墙部署(4)网卡驱动:使用的最新版本吗?一定要检查!TheNGXR60HFA-3MediaPackincludesnewversion(Ver.6)ofIntelDriver,improvingthroughputperformanceby10%-15%.交换机端口配置:全双工/半双工10/100/1000自适应还是固定速率?检查协商速度和模式!2020©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|性能:负面的影响资源火墙ContentInspectionSmartDefense和WebIntelligence(并非所有)VPN:CPU时间吞吐量其他特征–后面讨论会导致防火墙性能下降2121©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|性能:正面的影响加速:防火墙加速VPN加速FW策略优化NAT策略优化Clustering:Loadsharing(在某些案例中)Customsync定义更智能的网卡部署©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividualsFirewall加速Allyouneedtoknow2323©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|Agenda为什么需要加速SecureXL硬件和软件加速它如何工作2424©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|我们能够得到什么?更好的性能:增加包的吞吐率会话率提高减少sync流量(延长同步)更好的火墙性能(通过SecureXL带连接过去)2525©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|Checkpointperformancelab:UseSecureXLtogainupto400%performanceimprovement!2626©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|SecureXLAPI和加速设备Acceleration由2部分组成1.SecureXLAPI–inFWKernel2.加速设备(执行加速功能):►软件►硬件SecureXLAPI必须了解和信任加速设备–出于安全的因素考虑2727©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|支持多核CPU/CoresPerformancePack可以利用至少1CPU/Core(IntelDualCore和AMDDualCore都支持)将每块网卡指定CPU上,通过affinity机制自动完成通过‘simaffinity-s’命令手工配置可以改善系统的性能，取决于流量的特征(VPNboundtraffic,Clearboundtraffic,etc’)不能支持VLAN和WARP2828©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|Software加速模块PerformancePack:安装CheckPoint时选择处于网卡与火墙之间在SecurePlatform,Solaris,LinuxRHEL可用NokiaSecureXL加速支持:在所有IPSO3.8以上的系统上支持。2929©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|如何让它工作起来首先必须安装-PerformancePack或者hardwaredevice必须要License(现在CheckPoint硬件平台已经免费开放)需要从命令行on/off(CLI):fwaccelonfwacceloff通过cpconfig启用–重启后会保持生效。3030©2010CheckPointSoftwareTechnologiesLtd.|[Restricted]ONLYfordesignatedgroupsandindividuals|它如何工作:1stconnectionWebServer62.90.100.2Client219.38.40.10FireWall-1FireWall-1Acceleratio