We've been struggling with Mars performance for quite a while now.
It's too the point now where strategically we're thinking we may have
to migrate away from this solution. I don't just mean the slow GUI...I
mean issues with dropping events and high pnparser and java processor
utilization. pnparser frequently restarts. I'm curious if anyone else
is in a situation similar to ours. We have a 200 (4.3.1) that is
processing about 90-100 million events per day. We don't collect
netflow and we don't use SNMP. We collect about 80-90 million events
per day from a single checkpoint management server. The next busiest
devices are our domain controllers and they are a distant 2nd.
1) Does anyone else have a MARS 100 or 200 seeing this many events per
second (theoretically, even the 100 should be able to handle this
load)? If so, what is your typical pnparser processor and memory
utilization (sysstatus)? Does pnparser constantly get restarted (i.e.
2) Does anyone have a checkpoint environment that processes this many
events per day? If so, do you collect them from a single management/
3) I consider our implementation to be "ideal" from a performance
standpoint. What I mean by that is since we don't do netflow or SNMP,
the opportunity to reach the marketed EPS is greatest. Unfortunately,
I don't believe the 200 is capable of even half its rated capacity
even in this situation. Can anyone speak to there experience along
these lines (MARS rated capacity versus real capacity)?