Manualshelf

Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS
61626364656667686970
Chapter 7 Troubleshooting Security Servers and Content Security
How to Improve HTTP Security Server performance in a High Performance Environment
Advanced Technical Reference Guide 4.1 June 2000 57
2. Increase proxied_conns table limit to 50,000
In $FWDIR/lib/table.def addtotheendofline
proxied_conns = limit 50000
3. Increase NAT table limit to 50,000 and hashsize to 65536.
In $FWDIR/conf/objects.C change the following lines,
:nat_limit (50000)
:nat_hashsize (65536)
4. Add http_buffer_size parameter (applies to VPN-1/FireWall-1 4.1):
In $FWDIR/conf/objects.C add the line under props:
:http_buffer_size (32768)
5. Increase the number of instances of the in.ahttpd HTTP security server process to 5
In $FWDIR/conf/fwauthd.conf change the following line,
80 in.ahttpd wait -5
Note: When using multiple instances of the security server— such as the in.ahttpd HTTP security server—
the client_was_auth table is used. The client_was_auth table stores the port number of the specific
security server to which the client connection was folded, so that subsequent connections from the same client
will be handled by the same security server instance.
Performance Test
A test was conducted during a peak load period, which coincided with lunchtime during a Wednesday, with
poor weather. (A likely scenario for maximum number of users sitting at their desktops, having lunch and using
their web browsers.) The test period was from approx. 10:45 a.m. to 1:15 p.m. The httpss was used in
transparent mode, (i.e. no configuration required at the desktop).
Observations
1. Achieved peak connections in the connections table of approx. 16,000 connections.
localhost proxied_conns 18 3217
localhost connections 19 15829
2. Achieved peak open sockets on the firewall of approx. 11,000 sockets. (2 x 5500, determined by using
netstat and counting the number of entries of the VPN-1/FireWall-1’s external interface IP address).
3. Performance from local test machine(s) browser was acceptable and comparably faster that the existing
proxy technology.
4. CPU load on VPN-1/FireWall-1 averages approx. 99 % during the peak (100% at times) and averages
approx. 75 % throughout the test.
5. The ahttpd process load on the CPU averaged approx. 15% per process (x 5). The first process always
appeared to have a higher load, sometimes as high as 30% while the rest were down in the 15% range.
6. The first half of the test was without the WebSense rule. For the second half, the WebSense rule was added
on the fly. Check a number of illegal sites, and get appropriate reject from WebSense rule.
7. Near the end of the test, approx. 1 p.m. a message appeared on the test browser "FW-1: hostname:
Cannot connect to WWW server". This message appears numerous times in the ahttpd.elg
log file. It is therefore assumed that other client browsers experienced this same message.
8. At about the same time, several console messages where received from VPN-1/FireWall-1: " log
buffer message queue full". Because of the log buffer message, it was decided to reduce the