[Expert@*******:0]# ./s7pac +-----------------------------------------------------------------------------+ | Super Seven Performance Assessment Commands v0.5 (Thanks to Timothy Hall) | +-----------------------------------------------------------------------------+ | Inspecting your environment: OK | | This is a firewall....(continuing) | | | | Referred pagenumbers are to be found in the following book: | | Max Power: Check Point Firewall Performance Optimization - Second Edition | | | | Available at http://www.maxpowerfirewalls.com/ | | | +-----------------------------------------------------------------------------+ | Command #1: fwaccel stat | | | | Check for : Accelerator Status must be enabled (R77.xx/R80.10 versions) | | Status must be enabled (R80.20 and higher) | | Accept Templates must be enabled | | Message "disabled" from (low rule number) = bad | | | | Chapter 9: SecureXL throughput acceleration | | Page 278 | +-----------------------------------------------------------------------------+ | Output: | Accelerator Status : on Accept Templates : disabled by Firewall Layer cluster-xl-2008 Security disables template offloads f rom rule #208 Throughput acceleration still enabled. Drop Templates : disabled NAT Templates : disabled by user NMR Templates : enabled NMT Templates : enabled Accelerator Features : Accounting, NAT, Cryptography, Routing, HasClock, Templates, Synchronous, IdleDetection, Sequencing, TcpStateDetect, AutoExpire, DelayedNotif, TcpStateDetectV2, CPLS, McastRouting, WireMode, DropTemplates, NatTemplates, Streaming, MultiFW, AntiSpoofing, Nac, ViolationStats, AsychronicNotif, ERDOS, McastRoutingV2, NMR, NMT, NAT64, GTPAcceleration, SCTPAcceleration Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL, 3DES, DES, CAST, CAST-40, AES-128, AES-256, ESP, LinkSelection, DynamicVPN, NatTraversal, EncRouting, AES-XCBC, SHA256 +-----------------------------------------------------------------------------+ | Command #2: fwaccel stats -s | | | | Check for : Accelerated conns/Totals conns: >25% good, >50% great | | Accelerated pkts/Total pkts : >50% great | | PXL pkts/Total pkts : >50% OK | | F2Fed pkts/Total pkts : <30% good, <10% great | | | | Chapter 9: SecureXL throughput acceleration | | Page 287, Packet/Throughput Acceleration: The Three Kernel Paths | +-----------------------------------------------------------------------------+ | Output: | Accelerated conns/Total conns : 55/15372 (0%) Accelerated pkts/Total pkts : 1532143/610140181 (0%) F2Fed pkts/Total pkts : 169283836/610140181 (27%) PXL pkts/Total pkts : 439324202/610140181 (72%) QXL pkts/Total pkts : 0/610140181 (0%) +-----------------------------------------------------------------------------+ | Command #3: grep -c ^processor /proc/cpuinfo && /sbin/cpuinfo | | | | Check for : If number of cores is roughly double what you are excpecting, | | hyperthreading may be enabled | | | | Chapter 7: CoreXL Tuning | | Page 239 | +-----------------------------------------------------------------------------+ | Output: | 12 HyperThreading=disabled +-----------------------------------------------------------------------------+ | Command #4: fw ctl affinity -l -r | | | | Check for : SND/IRQ/Dispatcher Cores, # of CPU's allocated to interface(s) | | Firewall Workers/INSPECT Cores, # of CPU's allocated to fw_x | | R77.30: Support processes executed on ALL CPU's | | R80.xx: Support processes only executed on Firewall Worker Cores| | | | Chapter 7: CoreXL Tuning | | Page 221 | +-----------------------------------------------------------------------------+ | Output: | CPU 0: eth0 eth1 eth2 eth3 eth4 eth5 CPU 1: fw_2 wsdnsd in.acapd in.msd rtmd vpnd fwd pdpd lpd usrchkd rad mpdaemon pepd fwpushd cpd cprid CPU 2: fw_1 wsdnsd in.acapd in.msd rtmd vpnd fwd pdpd lpd usrchkd rad mpdaemon pepd fwpushd cpd cprid CPU 3: fw_0 wsdnsd in.acapd in.msd rtmd vpnd fwd pdpd lpd usrchkd rad mpdaemon pepd fwpushd cpd cprid CPU 4: CPU 5: CPU 6: CPU 7: CPU 8: CPU 9: CPU 10: CPU 11: All: The current license permits the use of CPUs 0, 1, 2, 3 only. +-----------------------------------------------------------------------------+ | Command #5: netstat -ni | | | | Check for : RX/TX errors | | RX-DRP % should be <0.1% calculated by (RX-DRP/RX-OK)*100 | | TX-ERR might indicate Fast Ethernet/100Mbps Duplex Mismatch | | | | Chapter 2: Layers 1&2 Performance Optimization | | Page 28-35 | | | | Chapter 7: CoreXL Tuning | | Page 204 | | Page 206 (Network Buffering Misses) | +-----------------------------------------------------------------------------+ | Output: | Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX- ERR TX-DRP TX-OVR Flg eth0 1500 0 153846810 0 0 0 181167148 0 0 0 BMRU eth1 1500 0 27299493380 411 19582 19582 32385880563 0 0 0 BMRU eth2 1500 0 26585158375 0 0 0 31510538386 0 0 0 BMRU eth2.15 1500 0 346140951 0 0 0 54479624 0 0 0 BMRU eth3 1500 0 34959719410 0 1226 0 26721018673 0 0 0 BMRU eth4 1500 0 234769178 0 0 0 1078124675 0 0 0 BMRU eth5 1500 0 234730067 0 0 0 1076593658 0 0 0 BMRU lo 16436 0 761352369 0 0 0 761352369 0 0 0 LRU interface eth0: There were no RX drops in the past 0.5 seconds interface eth0 rx_missed_errors : 0 interface eth0 rx_fifo_errors : 0 interface eth0 rx_no_buffer_count: 0 interface eth1: There were no RX drops in the past 0.5 seconds interface eth1 rx_missed_errors : 19582 interface eth1 rx_fifo_errors : 19582 interface eth1 rx_no_buffer_count: 33554 interface eth2: There were no RX drops in the past 0.5 seconds interface eth2 rx_missed_errors : 0 interface eth2 rx_fifo_errors : interface eth2 rx_no_buffer_count: 0 interface eth2.15: There were no RX drops in the past 0.5 seconds interface eth2.15 rx_missed_errors : 0 interface eth2.15 rx_fifo_errors : interface eth2.15 rx_no_buffer_count: 0 interface eth3: There were no RX drops in the past 0.5 seconds interface eth3 rx_missed_errors : 1226 interface eth3 rx_fifo_errors : interface eth3 rx_no_buffer_count: 1141 interface eth4: There were no RX drops in the past 0.5 seconds interface eth4 rx_missed_errors : 0 interface eth4 rx_fifo_errors : interface eth4 rx_no_buffer_count: 0 interface eth5: There were no RX drops in the past 0.5 seconds interface eth5 rx_missed_errors : 0 interface eth5 rx_fifo_errors : interface eth5 rx_no_buffer_count: 0 +-----------------------------------------------------------------------------+ | Command #6: fw ctl multik stat | | | | Check for : Large # of conns on Worker 0 - IPSec VPN/VoIP? | | Large imbalance of connections on a single or multiple Workers | | | | Chapter 7: CoreXL Tuning | | Page 241 | | | | Chapter 8: CoreXL VPN Optimization | | Page 256 | +-----------------------------------------------------------------------------+ | Output: | ID | Active | CPU | Connections | Peak ---------------------------------------------- 0 | Yes | 3 | 5526 | 16469 1 | Yes | 2 | 5621 | 16722 2 | Yes | 1 | 5626 | 16371 +-----------------------------------------------------------------------------+ | Command #7: cpstat os -f multi_cpu -o 1 -c 5 | | | | Check for : High SND/IRQ Core Utilization | | High Firewall Worker Core Utilization | | | | Chapter 6: CoreXL & Multi-Queue | | Page 173 | +-----------------------------------------------------------------------------+ | Output: | Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 14| 86| 14| ?| 5914| | 2| 9| 51| 40| 60| ?| 5914| | 3| 11| 49| 40| 60| ?| 5914| | 4| 8| 52| 40| 60| ?| 5914| | 5| 0| 0| 100| 0| ?| 5914| | 6| 0| 0| 100| 0| ?| 5914| | 7| 0| 0| 100| 0| ?| 5914| | 8| 0| 0| 100| 0| ?| 5914| | 9| 0| 0| 100| 0| ?| 5914| | 10| 0| 0| 100| 0| ?| 5914| | 11| 0| 0| 100| 0| ?| 5914| | 12| 0| 0| 100| 0| ?| 5914| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 14| 86| 14| ?| 5914| | 2| 9| 51| 40| 60| ?| 5914| | 3| 11| 49| 40| 60| ?| 5914| | 4| 8| 52| 40| 60| ?| 5914| | 5| 0| 0| 100| 0| ?| 5914| | 6| 0| 0| 100| 0| ?| 5914| | 7| 0| 0| 100| 0| ?| 5914| | 8| 0| 0| 100| 0| ?| 5914| | 9| 0| 0| 100| 0| ?| 5914| | 10| 0| 0| 100| 0| ?| 5914| | 11| 0| 0| 100| 0| ?| 5914| | 12| 0| 0| 100| 0| ?| 5914| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 19| 82| 18| ?| 26475| | 2| 14| 26| 60| 40| ?| 26477| | 3| 15| 27| 58| 42| ?| 26478| | 4| 8| 30| 63| 37| ?| 26479| | 5| 0| 0| 100| 0| ?| 26480| | 6| 0| 0| 100| 0| ?| 26481| | 7| 0| 0| 100| 0| ?| 26482| | 8| 0| 0| 100| 0| ?| 26483| | 9| 0| 0| 100| 0| ?| 26483| | 10| 0| 0| 100| 0| ?| 26483| | 11| 0| 0| 100| 0| ?| 26484| | 12| 0| 0| 100| 0| ?| 26485| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 19| 82| 18| ?| 26475| | 2| 14| 26| 60| 40| ?| 26477| | 3| 15| 27| 58| 42| ?| 26478| | 4| 8| 30| 63| 37| ?| 26479| | 5| 0| 0| 100| 0| ?| 26480| | 6| 0| 0| 100| 0| ?| 26481| | 7| 0| 0| 100| 0| ?| 26482| | 8| 0| 0| 100| 0| ?| 26483| | 9| 0| 0| 100| 0| ?| 26483| | 10| 0| 0| 100| 0| ?| 26483| | 11| 0| 0| 100| 0| ?| 26484| | 12| 0| 0| 100| 0| ?| 26485| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 15| 85| 15| ?| 24601| | 2| 14| 24| 62| 38| ?| 24602| | 3| 13| 25| 62| 38| ?| 49206| | 4| 12| 30| 58| 42| ?| 24604| | 5| 0| 0| 100| 0| ?| 24605| | 6| 0| 0| 100| 0| ?| 24607| | 7| 0| 0| 100| 0| ?| 24608| | 8| 0| 0| 100| 0| ?| 24609| | 9| 0| 0| 100| 0| ?| 24610| | 10| 0| 0| 100| 0| ?| 24611| | 11| 0| 0| 100| 0| ?| 24611| | 12| 0| 0| 100| 0| ?| 24612| --------------------------------------------------------------------------------- +-----------------------------------------------------------------------------+ | Thanks for using s7pac | +-----------------------------------------------------------------------------+