Understanding & Tuning The Ring Buffer on a Check Point Firewall

Is your firewall dropping allowed traffic unexpectedly, without logging? Does it seem like your firewall is under performing but not undersized? It may be that you need to adjust the size of the ring buffers. 

 

Not sure where to begin? Don’t worry—we’ve got you covered! Read on to better understand the size of the ring buffers you need and how to adjust them on a Check Point firewall!

What Are Ring Buffers?

Ring buffers, also known as circular buffers, are shared buffers between the device driver and Network Interface Card (NIC). These buffers store incoming packets until the device driver can process them. Ring buffers exist on both the receive (rx) and transmit (tx) side of each interface on the firewall. So, there is a rx ring buffer and a tx ring buffer. 

How Do Ring Buffers Work?

Have you ever turned on your computer, gone to your bank’s website, and started typing your password to log in—then noticed a major lag in what you’re typing into the password field? This lag happens when the computer processor begins to “wake up” and realize it needs to start grabbing data from the processor in the keyboard. You may be thinking: “Where is this information stored if there’s only a small amount of space in that keyboard’s memory?”

 

Well, that’s where the ring buffer comes in! The ring buffer functions like a queue, storing data in a fixed-size array. In our example, that lag is caused by the buffer trying to pull that password data out of the queue. 

How To Check Your Ring Buffer Sizes

To check the current and the maximum ring buffer sizes, run the following GAIA clish command:

 

HostName> show interface NAME_of_PHYSICAL_INTERFACE rx-ringsize

 

HostName> show interface NAME_of_PHYSICAL_INTERFACE tx-ringsize

 

Output example:

 

HostName> show interface eth0 rx-ringsize

Receive buffer ring size: 256

Maximum receive buffer ring size: 4096

 

In this example, 4096 is the maximum size of RX ring buffers for this particular driver, and the current ring buffer size is 256.

Common Questions When Tuning Ring Buffers

How do I know when I need to tune ring buffers?

Now that you know what a ring buffer is, you need to understand what circumstance would necessitate changing it. The only reason to change this buffer is if you are experiencing or are expected to experience interface drops.

 

You can check for drops on the interface from GAIA with the following command:

 

“show interface x statistics” where “x” is the interface name.  e.g “show interface eth0 statistics” 

 

Output example:

 

cpgw1> show interface eth0 statistics 

 

Statistics: 

TX bytes:1277516009 packets:1609950902 errors:0 dropped:0 overruns:0 carrier:0

RX bytes:3274762007 packets:1088786537 errors:0 dropped:17365890 overruns:0 frame:0

 

As you can see in this example, there are 17365890 dropped packets, indicating that there is a problem with RX drops. Note there are no TX drops, which is fairly common as RX drops occur much more frequently. 

 

The command “show interface x rx-ringsize” where x is the interface name e.g “show interface eth0 rx-ringsize” will produce an output like this:

 

cpgw1> show interface eth0 rx-ringsize 

Receive buffer ring size:256

Maximum receive buffer ring size:4096

 

In this case, the receive buffer ring size is only 256 out of a maximum of 4096.

Now that I’ve identified a problem with interface drops and a small ring buffer size, what should I change it to?

The rule of thumb is to double the ring size and watch for drops. In this example, this would be 512, and it would be changed with the command:

 

“set interface eth0 rx-ringsize 512”

 

Give it some time and then re-check the statistics. If the drops are continuing to increase, you should double the buffer size again. If not, leave the value of rx-ringsize where you just set it.

Why double the size instead of just setting it to the maximum value to start with?

Increasing the ring buffer size causes the interface to store more data before sending an interrupt to the CPU to process that data. The longer (or bigger) the ring buffer size (or queue), the longer it will take for the packets to be de-queued (or processed). This will cause latency in traffic, especially if small packets (e.g., ICMP packets, some UDP datagrams) make up the majority of the traffic.

 

The main reason to increase the ring buffer size on an interface is to lower the amount of interrupts sent to the CPU, thus decreasing the number of interface drops. Due to the inevitable latency factor, increasing the ring buffer size must be done gradually, followed by a test period.

What is an acceptable test period or window for determining the buffer size?

Since these drops occur when the firewall is busiest, it would make the most sense to allow the increased buffer size to run across the busiest part of the day when the firewall is at its highest CPU utilization. A few hours should be enough.

What about the tx-ringsize?

While most often the rx-ringsize needs to be adjusted, the tx-ringsize sometimes needs to be adjusted as well. Similar commands can be executed such asshow interface x tx-ringsize.” Here is an example:

 

cpgw1> show interface eth0 tx-ringsize 

Transmit buffer ring size:1024

Maximum transmit buffer ring size:4096

 

If you notice the default tx-ringsize is 1024 compared to the default rx-ringsize of 256. With this buffer already quadrupling the size, drops on the TX side of the interface are less common. 

What will tuning the ring buffer on my firewall mean for my organization?

While this procedure isn’t a substitute for needing a bigger firewall, increasing the ring buffer sizes can decrease the number of dropped packets on the interfaces. This simple free procedure may prolong the life of your firewall solution, meaning better security for your organization without breaking the budget!