Appliance Sizing Tool - General Assumptions & Testing Methodology
Table of Contents |
Introduction
This document presents the general assumptions & performance testing methodologies taken for the Appliance Sizing Tool. This document is being updated periodically with new methodologies upon new releases, features and requirements.
General Assumptions
Performance forecasts
- All estimates are based on the latest software version supported on each security gateway model.
- Performance forecasts are based on a survey conducted amongst a large number of Check Point customers and represent a typical customer deployment scenario. Large variants may occur at different customer environments.
- Check Point does not guarantee and cannot be held responsible for any variations from the utilization forecasts provided by the appliance sizing tool.
Blade Inspection Policy
- In order to apply ‘Internet only’ traffic to the blade inspection, you should validate the inspection scope on each blade policy.
Appliance Sizing tool – Security requirements step.
Testing Methodology
1. Lab setup
This section provides general information about the topologies and test-beds of the performance tests for the Appliance Sizing Tool. During the performance tests, the DUT (device under tests) may contain the maximum possible network interfaces connected.
2. Real-World Blend
- Represents the type of Internet traffic, security appliances handle on a day-to-day basis.
- Based on customer research conducted by Check Point performance labs.
- Consists from the following Streams/Protocols: HTTP; HTTPS; SMTP; DNS; POP3; FTP; Telnet.
- The majority of the traffic is Internet Access (HTTP).
Full traffic blend description
|
Protocol |
Action |
Details |
Distribution |
|
HTTP |
Amazon Home Page |
HTTP GET of Amazon Home Page, 676K |
16% |
|
Yahoo Home Page |
HTTP GET of Yahoo Home Page, 292K |
16% |
|
|
Facebook Home Page |
HTTP GET of Facebook Home Page, 271K |
16% |
|
|
Google Search |
HTTP GET of Google Home Page, 41K |
17% |
|
|
Google Mail |
HTTP GET of Gmail index.html file, 21K |
2% |
|
|
HTTP Post |
100K PDF file |
1% |
|
|
Total HTTP Protocol |
68% |
||
|
SMTP |
SMTP 17K |
MIME Message with PDF Attachment file |
7% |
|
SMTP 100K |
MIME Message with MS word Attachment file |
6% |
|
|
Total SMTP Protocol |
13% |
||
|
HTTPS |
HTTPS 10K |
HTTPS GET of 10K file |
5% |
|
HTTPS 100K |
HTTPS GET of 100K file |
5% |
|
|
Total HTTPS |
10% |
||
|
Other Protocols |
DNS |
DNS Query |
6% |
|
POP3 |
Message size: 256-512 bytes |
1% |
|
|
Telnet |
Login; cd /disk/images; ls |
1% |
|
|
FTP |
FTP get, 1MB file |
1% |
|
|
Total Other Protocols |
9% |
3. Topology Diagram
4. Performance Optimizations
· To achieve the best performance the following features were enabled :
o Dynamic NAT port allocation feature
o User-Space processes affinity
5. Security Management Deployment
- Standalone Deployment - Where the gateway and the Security Management server are installed on the same machine.
- Distributed Deployment - Where the gateway and the Security Management server are installed on different machines.
6. Security Policy
- Access Control Policy
· Network Policy : 100 Network Rules w/ Log
o Traffic is evenly distributed amongst these rules.
· Network Address Translation (NAT)
o Perform on all connections that pass through the Security Gateway.
Software Blades Configuration
7. Threat Prevention Blades
· IPS w/ ‘Optimized’ Profile
· Anti-Bot & Anti-Virus Blades w/ ‘Optimized’ Profile
8. Mobile Access Blade
- Simulating Mobile Users, connecting securely to corporate resources through SSL VPN Portal.
- Mobile Access Mode: Integrated.
- Link Translation Method: Path Translation (Default).
- Simulated Web Application: Outlook Web Access.
- Simulated OWA usage profile: Heavy Usage (based on the assumption that remote access users are usually busier with email than in-office users).
- Our
Profile is based on MS article
describes several OWA usage profiles:
|
Activity per day |
Light |
Medium |
Heavy |
Very Heavy |
|
Messages sent |
5 |
10 |
20 |
30 |
|
Messages received |
20 |
40 |
80 |
120 |
|
Messages read |
20 |
40 |
80 |
120 |
|
Messages deleted |
10 |
20 |
40 |
60 |
|
Log on and log off |
2 |
2 |
· The average message size for all profiles is 50 KB.
- Bandwidth for Heavy OWA Profile: Every User will generate network traffic of 50KB per Minute.
- 2% of the users are generating new login traffic - for each 100 concurrent users, there are 2 concurrent new login requests per second.
9. IPSec VPN Blade
- Simulating VPN Remote Access Clients connecting securely to corporate resources.
- Bandwidth per User: 20Kbps.
- IPSEC Security Association (Phase 2): Encryption Algorithm: AES128.
10. Application Control & URL Filtering Blades
- Log Level : ‘Detailed’ log w/ Accounting
- Up to date Signatures.
11. Data Loss Prevention Blade
- Default Deployment - Uses the Data Loss Prevention policy provided Out of the Box.
- Out of the box Data Loss Prevention with a basic policy (DLP Software Blade comes with a large number of built-in data types that can be quickly applied as a default policy).
- Default Applied Protocols: Email (Scan outgoing Emails).
12. Threat Emulation Blade
- Emulation Location: ’Check Point Threat Cloud Emulation’ / ‘Private Cloud Emulation’.
- Out of the box Threat Emulation Profile.
- File emulation rate: Emulated file for every 250MB of traffic.