[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] AW: [FW-1] HTTP security server woes on NG... frustration level r ising...
> assumed that the security servers were designed to handle this many > connections, if not more. Am I wrong in this assumption? No matter what the hardware, the HTTP security server _is_ a slouch :) > process... which I have a question about. It says to replace the "0" at > the end of the line with a "-2". Is this correct, or do I just want to > add a "2"? So, should the line in "/var/opt/CPfw1-50/conf/fwauthd.conf" > read: It should be "-2" not "2" > Which brings up another interesting question... do I only want > to spawn two ahttpd processes? Sure the box only has two processors, > but if I need to spawn more processes to simply be able to handle the > number of connections, should I do so? No you _definitely_ want more than just two processes. I do not have a lot of experience with the HTTP security server, but I would recommend a minimum of 4 or 8. Hopefully someone else on the list can give you some more information. You will also need a _lot_ of memory in these boxes. According to Dameon Welch-Abernathy (phoneboy), the security server in 4.1 on Nokia handling just 1024 connections can reach as much as 87 megs. This is supposed to be similar on other platforms. You already took care of the file descriptors issue, however you may also want to increase the HTTP buffer size to help with your performance problems. You may want to refer to Dameons book "Essential CheckPoint Firewall-1" as he covers some of these issues. In the end, the security servers were never really meant to handle a large number of connections. Dameon Welch-Abernathy does not recommend using the 4.1 security server for more than 1k users. Your environment exceeds that by two orders of magnitude. I personally feel that the CheckPoint security servers are overused. In many cases, a dedicated web proxy would be a far better choice. In your situation, it may be the only choice. -Don ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|