How to Tune the Barracuda NG Firewall for High Performance Environments

Barracuda CloudGen Firewall

How to Tune the Barracuda NG Firewall for High Performance Environments https://campus.barracuda.com/doc/12198170/

These settings should only be made by experts.

In certain high load environments where over 50,000 concurrent sessions persist, more than 5000 new sessions are generated per second, or in combination with a multi-gigabit forwarding traffic flow, you may need to tune your system for optimal performance. This article lists configurations that you can change to improve your system performance.

In this article:

Interrupt Throttle Rate

If your hardware uses Intel Gigabit NICs, the interrupt rate should be throttled to 10,000 interrupts for each NIC. Otherwise, the overall performance of your system can be slowed down from how frequently the kernel tries to fetch packets from the NIC. For the InterruptThrottleRate module setting, add a 10000 value for each Intel Gigabit NIC in your system. For example:

One NIC: InterruptThrottleRate=10000 Two NICs: InterruptThrottleRate=10000,10000

To add the InterruptThrottleRate setting to your NIC settings:

1. Log into the Barracuda NG Firewall. 2. Open the Network page (Config > Full Config > Box). 3. From the Configuration menu in the left navigation pane, select Interfaces. 4. Expand the Configuration Mode menu and click Switch to Advanced. 5. Click Lock. 6. In Network Interface Cards table, edit your interface settings. Add the InterruptThrottleRate module setting to the Driver Options table. 7. Click OK. 8. Click Send Changes and then click Activate.

How to Tune the Barracuda NG Firewall for High Performance Environments 1 / 4 Barracuda CloudGen Firewall

Processing Priority for "ksoftirqd"

Under heavy load, some packets cannot be handled via the hardware interrupt and are treated by the ksoftirqd daemon. The default priority is set in a way to treat other processes with a higher priority to ksoftirqd. To avoid this, run the following commands: renice -19 -p $(ps ax | grep ksoftirqd | grep -v grep | awk '{print $1}') ethtool -G port1 rx 1024 ethtool -G port2 rx 1024 ethtool -G port3 rx 1024 ethtool -G port4 rx 1024 acpfctrl tune timermode 1

The priority is set to -19 .

To make this conﬁguration permanent, add the commands to the User Scripts settings. For more information, see How to Activate Custom Network Commands.

NIC Receive Buﬀers

Increasing the number of receive buﬀers improves the system performance when packet bursts occur. The default value for the Intel Gigabit NIC is 256. To increase the default value:

1. Show the settings for the NIC. ethtool -g eth3 2. Increase the number of receive buﬀers. ethtool -G eth3 rx 1024

To make this conﬁguration permanent, add the commands to the User Scripts settings. For more information, see How to Activate Custom Network Commands.

NOATIME Mount

In a default Barracuda NG Firewall installation, file access times are tracked when a file is accessed. This issues a write command even if a file is opened for reading only and additional I/O load is created. To avoid this, mount the partitions with the noatime option. mount / -o remount,noatime mount /boot -o remount,noatime mount /phion0 -o remount,noatime mount /proc -o remount,noatime

To make this conﬁguration permanent, add the commands to the User Scripts settings. For more

How to Tune the Barracuda NG Firewall for High Performance Environments 2 / 4 Barracuda CloudGen Firewall

information, see How to Activate Custom Network Commands.

Increasing the Routing Cache

If you have your Barracuda NG Firewall handling traﬃc from large networks with a large number of IP addresses on both sides of the forwarding ﬁrewall, increase the maximum number of entries that are allowed in the routing cache.

1. Log into the Barracuda NG Firewall. 2. Open the System Settings page (Config > Full Config > Box > Advanced Configuration). 3. From the the Configuration menu in the left navigation pane, select Routing Cache. 4. Click Lock. 5. In the Max Routing Cache Entries field, enter the maximum number of entries for the cache. For example, 200000. 6. Click Send Changes and then click Activate.

Disable CPU Power Savings

To enable the highest performance on modern server systems, turn oﬀ the CPU power savings. Modify the BIOS settings for the server accordingly.

How to Test Read Performance for Harddisk

To test read performance for harddisk on a running Barracuda NG Firewall, use the following command: hdparm -tT /dev/

How to Tune the Barracuda NG Firewall for High Performance Environments 3 / 4 Barracuda CloudGen Firewall

© Barracuda Networks Inc., 2021 The information contained within this document is confidential and proprietary to Barracuda Networks Inc. No portion of this document may be copied, distributed, publicized or used for other than internal documentary purposes without the written consent of an official representative of Barracuda Networks Inc. All specifications are subject to change without notice. Barracuda Networks Inc. assumes no responsibility for any inaccuracies in this document. Barracuda Networks Inc. reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

How to Tune the Barracuda NG Firewall for High Performance Environments 4 / 4