Question about Floodgate

I have a question for checkpoint flood-gate gurus in the
forum.
   
  I have NG AI R55 with HFA_20 running on SPLAT enforcement
module.  This module is being managed from a Provider-1 NG 
AI R55 with HFA_20.  I have single firewall at the moment
but I configure ClusterXL on this firewall because I will
add a second firewall for Active/Active very soon. 
Everything
is working so far.
   
  I also have Floodgate on the SPLAT enforcement.  I have
3 floodgate rules (including the default rule):
  1)  Any  Any  ssh   weigh_70  
2)  Any  Any  FTP   weigh_15
3)  Any  Any  any   weigh_10
  I have this setup "per rule" ONLY.
   
  All interfaces on the SPLAT box is Fast-Ethernet
full-duplex.
   
  I open three Secure Copy (SCP) sessions from a host
behind
the firewall to three different SSH servers outside
the firewall (I control those ssh servers) and one FTP
session 
from the same host to an external FTP server (I control
this
FTP server as well).
   
  I started downloading via scp from the ssh sessions a
100MB 
file size.  All three scp sessions, I am getting about
16Mbps
download each.  Immediately after starting the secure copy 
session, I started the FTP session.  Much to my amazement,
I am getting about 20Mbps download with FTP.  At the same
time, I am seeing my secure copy session going down from
16mbps to 10mbps on all three of them.  
   
  With Floodgate, I thought my ssh traffics are getting
a much higher priority than FTP traffics.  If that is true,
then how come my FTP traffics throughput is higher than
my ssh traffics,and that when FTP is going on, it takes
away
bandwith from my SSH traffics. 
   
  Can some explain this?  Thanks.

       
---------------------------------
Be a better Heartthrob. Get better relationship answers from
someone who knows.
Yahoo! Answers - Check it out. 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

On Tue, 4 Sep 2007, cisco4ng wrote:

> I have a question for checkpoint flood-gate gurus in
the forum.
>
>  I have NG AI R55 with HFA_20 running on SPLAT
enforcement
> module.  This module is being managed from a Provider-1
NG
> AI R55 with HFA_20.  I have single firewall at the
moment
> but I configure ClusterXL on this firewall because I
will
> add a second firewall for Active/Active very soon. 
Everything
> is working so far.
>
>  I also have Floodgate on the SPLAT enforcement.  I
have
> 3 floodgate rules (including the default rule):
>  1)  Any  Any  ssh   weigh_70
> 2)  Any  Any  FTP   weigh_15
> 3)  Any  Any  any   weigh_10
>  I have this setup "per rule" ONLY.

Isn't weight done based on the rules? So you had 3x 16Mb/s 
= 48Mb/s on 
rule 1.

When you started ftp the balance becomes:

 	SSH: 3x 10Mb/s = 30 Mb/s
 	FTP: 1x 20Mb/s = 20 Mb/s

So SSH as set still outweighs FTP as set.

Can you test this again with equal numbers of FTP and SSH
sessions? Say 3 
or 5 ssh and as many ftp sessions.

Hugo.

-- 
 	hvdkooijvanderkooij.org	http://hugo.vanderkooij.
org/
 	    This message is using 100% recycled electrons.

 	Some men see computers as they are and say
"Windows"
 	I use computers with Linux and say "Why
Windows?"
 	(Thanks JFK, for this quote of George Bernard Shaw.)

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

I agree fully with Hugh on the weight distribution based on
the rule 
(meaning distributed by protocol) however my concern was why
50Mbs when the 
link was 100Mbs?

Roger Herr

WhyNot? Consulting Services
24165 IH 10 West Suite 217-183
San Antonio, Texas 78257
210-860-3990
Some men see things as they are and say why?
I dream things that never were and say "Why Not?"
                                                -Robert F.
Kennedy

Or the original

You see things; and you say "Why?" But I dream
things that never were; and I 
say "Why not?"
George Bernard Shaw
(1856-1950)
----- Original Message ----- 
From: "Hugo van der Kooij" <hvdkooijVANDERKOOIJ.ORG>
To: <FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
Sent: Tuesday, September 04, 2007 11:51 AM
Subject: Re: [FW-1] Question about Floodgate


> On Tue, 4 Sep 2007, cisco4ng wrote:
>
>> I have a question for checkpoint flood-gate gurus
in the forum.
>>
>>  I have NG AI R55 with HFA_20 running on SPLAT
enforcement
>> module.  This module is being managed from a
Provider-1 NG
>> AI R55 with HFA_20.  I have single firewall at the
moment
>> but I configure ClusterXL on this firewall because
I will
>> add a second firewall for Active/Active very soon. 
Everything
>> is working so far.
>>
>>  I also have Floodgate on the SPLAT enforcement.  I
have
>> 3 floodgate rules (including the default rule):
>>  1)  Any  Any  ssh   weigh_70
>> 2)  Any  Any  FTP   weigh_15
>> 3)  Any  Any  any   weigh_10
>>  I have this setup "per rule" ONLY.
>
> Isn't weight done based on the rules? So you had 3x
16Mb/s  = 48Mb/s on 
> rule 1.
>
> When you started ftp the balance becomes:
>
>  SSH: 3x 10Mb/s = 30 Mb/s
>  FTP: 1x 20Mb/s = 20 Mb/s
>
> So SSH as set still outweighs FTP as set.
>
> Can you test this again with equal numbers of FTP and
SSH sessions? Say 3 
> or 5 ssh and as many ftp sessions.
>
> Hugo.
>
> -- 
>  hvdkooijvanderkooij.org http://hugo.vanderkooij.
org/
>      This message is using 100% recycled electrons.
>
>  Some men see computers as they are and say
"Windows"
>  I use computers with Linux and say "Why
Windows?"
>  (Thanks JFK, for this quote of George Bernard Shaw.)
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> ================================================= 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================