Barracuda CloudGen Firewall
How to Tune the Barracuda NG Firewall for High Performance Environments https://campus.barracuda.com/doc/12198170/
These settings should only be made by experts.
In certain high load environments where over 50,000 concurrent sessions persist, more than 5000 new sessions are generated per second, or in combination with a multi-gigabit forwarding traffic flow, you may need to tune your system for optimal performance. This article lists configurations that you can change to improve your system performance.
In this article:
Interrupt Throttle Rate
If your hardware uses Intel Gigabit NICs, the interrupt rate should be throttled to 10,000 interrupts for each NIC. Otherwise, the overall performance of your system can be slowed down from how frequently the kernel tries to fetch packets from the NIC. For the InterruptThrottleRate module setting, add a 10000 value for each Intel Gigabit NIC in your system. For example:
One NIC: InterruptThrottleRate=10000 Two NICs: InterruptThrottleRate=10000,10000
To add the InterruptThrottleRate setting to your NIC settings:
1. Log into the Barracuda NG Firewall. 2. Open the Network page (Config > Full Config > Box). 3. From the Configuration menu in the left navigation pane, select Interfaces. 4. Expand the Configuration Mode menu and click Switch to Advanced. 5. Click Lock. 6. In Network Interface Cards table, edit your interface settings. Add the InterruptThrottleRate module setting to the Driver Options table. 7. Click OK. 8. Click Send Changes and then click Activate.
How to Tune the Barracuda NG Firewall for High Performance Environments 1 / 4 Barracuda CloudGen Firewall
Processing Priority for "ksoftirqd"
Under heavy load, some packets cannot be handled via the hardware interrupt and are treated by the ksoftirqd daemon. The default priority is set in a way to treat other processes with a higher priority to ksoftirqd. To avoid this, run the following commands: renice -19 -p $(ps ax | grep ksoftirqd | grep -v grep | awk '{print $1}') ethtool -G port1 rx 1024 ethtool -G port2 rx 1024 ethtool -G port3 rx 1024 ethtool -G port4 rx 1024 acpfctrl tune timermode 1
The priority is set to -19 .
To make this configuration permanent, add the commands to the User Scripts settings. For more information, see How to Activate Custom Network Commands.
NIC Receive Buffers
Increasing the number of receive buffers improves the system performance when packet bursts occur. The default value for the Intel Gigabit NIC is 256. To increase the default value:
1. Show the settings for the NIC. ethtool -g eth3 2. Increase the number of receive buffers. ethtool -G eth3 rx 1024
To make this configuration permanent, add the commands to the User Scripts settings. For more information, see How to Activate Custom Network Commands.
NOATIME Mount
In a default Barracuda NG Firewall installation, file access times are tracked when a file is accessed. This issues a write command even if a file is opened for reading only and additional I/O load is created. To avoid this, mount the partitions with the noatime option. mount / -o remount,noatime mount /boot -o remount,noatime mount /phion0 -o remount,noatime mount /proc -o remount,noatime
To make this configuration permanent, add the commands to the User Scripts settings. For more
How to Tune the Barracuda NG Firewall for High Performance Environments 2 / 4 Barracuda CloudGen Firewall
information, see How to Activate Custom Network Commands.
Increasing the Routing Cache
If you have your Barracuda NG Firewall handling traffic from large networks with a large number of IP addresses on both sides of the forwarding firewall, increase the maximum number of entries that are allowed in the routing cache.
1. Log into the Barracuda NG Firewall. 2. Open the System Settings page (Config > Full Config > Box > Advanced Configuration). 3. From the the Configuration menu in the left navigation pane, select Routing Cache. 4. Click Lock. 5. In the Max Routing Cache Entries field, enter the maximum number of entries for the cache. For example, 200000. 6. Click Send Changes and then click Activate.
Disable CPU Power Savings
To enable the highest performance on modern server systems, turn off the CPU power savings. Modify the BIOS settings for the server accordingly.
How to Test Read Performance for Harddisk
To test read performance for harddisk on a running Barracuda NG Firewall, use the following command: hdparm -tT /dev/
How to Tune the Barracuda NG Firewall for High Performance Environments 3 / 4 Barracuda CloudGen Firewall
© Barracuda Networks Inc., 2021 The information contained within this document is confidential and proprietary to Barracuda Networks Inc. No portion of this document may be copied, distributed, publicized or used for other than internal documentary purposes without the written consent of an official representative of Barracuda Networks Inc. All specifications are subject to change without notice. Barracuda Networks Inc. assumes no responsibility for any inaccuracies in this document. Barracuda Networks Inc. reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
How to Tune the Barracuda NG Firewall for High Performance Environments 4 / 4