Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] AW: [FW-1] HTTP security server woes on NG... frustration level r ising...

To: [email protected]
Subject: Re: [FW-1] AW: [FW-1] HTTP security server woes on NG... frustration level r ising...
From: Don <[email protected]>
Date: Fri, 7 Jun 2002 23:02:58 -0400
Comments: To: "Abe L. Getchell" <[email protected]>
In-reply-to: <003b01c20e78$55634a30$8c495dc6@iguana>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

> assumed that the security servers were designed to handle this many
> connections, if not more.  Am I wrong in this assumption?
No matter what the hardware, the HTTP security server _is_ a slouch :)

> process... which I have a question about.  It says to replace the "0" at
> the end of the line with a "-2".  Is this correct, or do I just want to
> add a "2"?  So, should the line in "/var/opt/CPfw1-50/conf/fwauthd.conf"
> read:
It should be "-2" not "2"

>         Which brings up another interesting question... do I only want
> to spawn two ahttpd processes?  Sure the box only has two processors,
> but if I need to spawn more processes to simply be able to handle the
> number of connections, should I do so?
No you _definitely_ want more than just two processes. I do not have a lot
of experience with the HTTP security server, but I would recommend a
minimum of 4 or 8.

Hopefully someone else on the list can give you some more information.

You will also need a _lot_ of memory in these boxes. According to Dameon
Welch-Abernathy (phoneboy), the security server in 4.1 on Nokia handling
just 1024 connections can reach as much as 87 megs. This is supposed to be
similar on other platforms.

You already took care of the file descriptors issue, however you may also
want to increase the HTTP buffer size to help with your performance
problems.

You may want to refer to Dameons book "Essential CheckPoint Firewall-1" as
he covers some of these issues.

In the end, the security servers were never really meant to handle a large
number of connections. Dameon Welch-Abernathy does not recommend using the
4.1 security server for more than 1k users. Your environment exceeds that
by two orders of magnitude.

I personally feel that the CheckPoint security servers are overused.
In many cases, a dedicated web proxy would be a far better choice. In your
situation, it may be the only choice.

-Don

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] AW: [FW-1] HTTP security server woes on NG... frustration level r ising...
  - From: "Abe L. Getchell" <[email protected]>

References:
- Re: [FW-1] AW: [FW-1] HTTP security server woes on NG... frustration level r ising...
  - From: "Abe L. Getchell" <[email protected]>

Prev by Date: Re: [FW-1] AW: [FW-1] HTTP security server woes on NG... frustration level r ising...
Next by Date: Re: [FW-1] AW: [FW-1] HTTP security server woes on NG... frustration level r ising...
Previous by thread: Re: [FW-1] AW: [FW-1] HTTP security server woes on NG... frustration level r ising...
Next by thread: Re: [FW-1] AW: [FW-1] HTTP security server woes on NG... frustration level r ising...
Index(es):
- Date
- Thread