Firewalls: Re: [FW1] Performance monitoring for FW-1

Firewalls
(June 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: [FW1] Performance monitoring for FW-1
From:	drexx @ pspi . com . ph (Drexx Laggui)
Date:	Tue, 3 Jun 1997 14:16:42 -0800
To:	fw-1-mailinglist @ us . checkpoint . com, solid @ mozcom . com, firewalls @ greatcircle . com

|> From: "Jet B. Bagadion" <solid @
 mozcom .
 com>
|> 
|> Hello everybody,
|> 
|> How will I monitor Firewall-1 performance? Please send some tips on how I
|> can improve its performance.
|> 

Hello Jet,

1] On a Sun H/W:

1.1] On a Sun Solaris platform, the easiest way is to use the Performance
Meter (/usr/openwin/bin/perfmeter). Just right-mouse click to get to the
Properties menu and select the parameters you'd like to monitor (CPU, RAM,
network utilization, etc.)

1.2] On checking the FW-1 host disk activity, do 

prompt# iostat -x 30

Look at the b values (from the whole 30 samples) and average it. If it's
more than 35% utilized then it is rather busy. Either stripe it or get a
faster disk then.

1.3] For checking network performance, do

prompt# netstat -i 30

A network output with too many collisions reduces throughput and
increases response time. Upgrade to a faster network if necessary.

1.4] On CPU and memory rules, use

prompt# vmstat 30

If the "swap" values are (1000k <= 10000k) or worse, then the system may
soon run out of virtual memory. Try to add more swap.

If the "sr" values are (200 <= 300), then the system is scanning through
memory looking for more pages to free at a high rate. This indicates that,
as well as inactive pages, active pages maybe stolen from processes.

If the "r" values are from (3 <= 5), then there is insufficient CPU power.
Jobs are spending an increasing amount of time in the queue before being
asigned to a CPU. This reduces throughput and increases response time.

2.0] On the FW-1 application, do

prompt# fw ctl pstat

If too low, edit the /etc/system file with fw:fwhmem=0x100000 (~1MB RAM).

3.0] Search out Adrian Cockroft's columns on www.sun.som/sunworld for
     more info. 


Hanggang sa muli,
Drexx.

"It's a dirty job, but somebody's gotta do it." -- John Wayne
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~
         ______
        /_____/\	DEXTER D. LAGGUI
       /_____\\ \	Systems Engineer, Systems Integration Group 
      /_____\ \\ /	PHILIPPINE SYSTEMS PRODUCTS INC.
     /_____/ \/ / /	Penthouse, Corporate Business Center
    /_____/ /   \//\	150 Paseo de Roxas Ave., Legaspi Village
    \_____\//\   / /	Makati City, Philippines
     \_____/ / /\ /          
      \_____/ \\ \	Phone: (++ 63-2) 813-6453 to 55 loc. 222
       \_____\ \\	Fax  : (++ 63-2) 813-5834
        \_____\/	Email: drexx @
 pspi .
 com .
 ph
			Pager: (++ 63-2) 1277-33615
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~

Indexed By Date	Previous:	SSH Equiv for FTP? From: Warpy <warpy @ null . net>
Indexed By Date	Next:	Netscape and Port IS411-srvr From: Basil McCrea <mccrebsi @ ina . de>
Indexed By Thread	Previous:	Re: SSH Equiv for FTP? From: Gavin Longmuir <Gavin . Longmuir @ mailhost . dpie . gov . au>
Indexed By Thread	Next:	Netscape and Port IS411-srvr From: Basil McCrea <mccrebsi @ ina . de>