[Expert@fw01-cbra:0]# s7pac +-----------------------------------------------------------------------------+ | Super Seven Performance Assessment Commands v0.5 (Thanks to Timothy Hall) | +-----------------------------------------------------------------------------+ | Inspecting your environment: OK | | This is a firewall....(continuing) | | | | Referred pagenumbers are to be found in the following book: | | Max Power: Check Point Firewall Performance Optimization - Second Edition | | | | Available at http://www.maxpowerfirewalls.com/ | | | +-----------------------------------------------------------------------------+ | Command #1: fwaccel stat | | | | Check for : Accelerator Status must be enabled (R77.xx/R80.10 versions) | | Status must be enabled (R80.20 and higher) | | Accept Templates must be enabled | | Message "disabled" from (low rule number) = bad | | | | Chapter 9: SecureXL throughput acceleration | | Page 278 | +-----------------------------------------------------------------------------+ | Output: | Accelerator Status : on Accept Templates : disabled by Firewall Layer Network disables template offloads from rule #23 Throughput acceleration still enabled. Drop Templates : disabled NAT Templates : disabled by user NMR Templates : enabled NMT Templates : enabled Accelerator Features : Accounting, NAT, Cryptography, Routing, HasClock, Templates, Synchronous, IdleDetection, Sequencing, TcpStateDetect, AutoExpire, DelayedNotif, TcpStateDetectV2, CPLS, McastRouting, WireMode, DropTemplates, NatTemplates, Streaming, MultiFW, AntiSpoofing, Nac, ViolationStats, AsychronicNotif, ERDOS, McastRoutingV2, NMR, NMT, NAT64, GTPAcceleration, SCTPAcceleration Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL, 3DES, DES, CAST, CAST-40, AES-128, AES-256, ESP, LinkSelection, DynamicVPN, NatTraversal, EncRouting, AES-XCBC, SHA256 +-----------------------------------------------------------------------------+ | Command #2: fwaccel stats -s | | | | Check for : Accelerated conns/Totals conns: >25% good, >50% great | | Accelerated pkts/Total pkts : >50% great | | PXL pkts/Total pkts : >50% OK | | F2Fed pkts/Total pkts : <30% good, <10% great | | | | Chapter 9: SecureXL throughput acceleration | | Page 287, Packet/Throughput Acceleration: The Three Kernel Paths | +-----------------------------------------------------------------------------+ | Output: | Accelerated conns/Total conns : 789/893 (88%) Accelerated pkts/Total pkts : 3772147/3828229 (98%) F2Fed pkts/Total pkts : 54908/3828229 (1%) PXL pkts/Total pkts : 1174/3828229 (0%) QXL pkts/Total pkts : 0/3828229 (0%) +-----------------------------------------------------------------------------+ | Command #3: grep -c ^processor /proc/cpuinfo && /sbin/cpuinfo | | | | Check for : If number of cores is roughly double what you are excpecting, | | hyperthreading may be enabled | | | | Chapter 7: CoreXL Tuning | | Page 239 | +-----------------------------------------------------------------------------+ | Output: | 2 HyperThreading=disabled +-----------------------------------------------------------------------------+ | Command #4: fw ctl affinity -l -r | | | | Check for : SND/IRQ/Dispatcher Cores, # of CPU's allocated to interface(s) | | Firewall Workers/INSPECT Cores, # of CPU's allocated to fw_x | | R77.30: Support processes executed on ALL CPU's | | R80.xx: Support processes only executed on Firewall Worker Cores| | | | Chapter 7: CoreXL Tuning | | Page 221 | +-----------------------------------------------------------------------------+ | Output: | CPU 0: eth3 eth5 Mgmt fw_1 CPU 1: eth1 eth2 fw_0 All: in.asessiond in.msd usrchkd rad lpd in.acapd fwd vpnd mpdaemon cpd cprid +-----------------------------------------------------------------------------+ | Command #5: netstat -ni | | | | Check for : RX/TX errors | | RX-DRP % should be <0.1% calculated by (RX-DRP/RX-OK)*100 | | TX-ERR might indicate Fast Ethernet/100Mbps Duplex Mismatch | | | | Chapter 2: Layers 1&2 Performance Optimization | | Page 28-35 | | | | Chapter 7: CoreXL Tuning | | Page 204 | | Page 206 (Network Buffering Misses) | +-----------------------------------------------------------------------------+ | Output: | Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg Mgmt 1500 0 1751037 0 0 0 277 0 0 0 BMRU eth1 1500 0 131878042 0 0 0 171817134 0 0 0 BMRU eth2 1500 0 71384750 0 0 0 52734448 0 0 0 BMRU eth3 1500 0 146527445 0 0 0 111283614 0 0 0 BMRU eth5 1500 0 157509526 0 0 0 125390308 0 0 0 BMRU lo 16436 0 1896558 0 0 0 1896558 0 0 0 LRU interface eth1: There were no RX drops in the past 0.5 seconds interface eth1 rx_missed_errors : 0 interface eth1 rx_fifo_errors : 0 interface eth1 rx_no_buffer_count: 0 interface eth2: There were no RX drops in the past 0.5 seconds interface eth2 rx_missed_errors : 0 interface eth2 rx_fifo_errors : 0 interface eth2 rx_no_buffer_count: 0 interface eth3: There were no RX drops in the past 0.5 seconds interface eth3 rx_missed_errors : 0 interface eth3 rx_fifo_errors : 0 interface eth3 rx_no_buffer_count: 0 interface eth5: There were no RX drops in the past 0.5 seconds interface eth5 rx_missed_errors : 0 interface eth5 rx_fifo_errors : 0 interface eth5 rx_no_buffer_count: 0 +-----------------------------------------------------------------------------+ | Command #6: fw ctl multik stat | | | | Check for : Large # of conns on Worker 0 - IPSec VPN/VoIP? | | Large imbalance of connections on a single or multiple Workers | | | | Chapter 7: CoreXL Tuning | | Page 241 | | | | Chapter 8: CoreXL VPN Optimization | | Page 256 | +-----------------------------------------------------------------------------+ | Output: | ID | Active | CPU | Connections | Peak ---------------------------------------------- 0 | Yes | 1 | 498 | 5583 1 | Yes | 0 | 543 | 4210 +-----------------------------------------------------------------------------+ | Command #7: cpstat os -f multi_cpu -o 1 -c 5 | | | | Check for : High SND/IRQ Core Utilization | | High Firewall Worker Core Utilization | | | | Chapter 6: CoreXL & Multi-Queue | | Page 173 | +-----------------------------------------------------------------------------+ | Output: | Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 1| 2| 96| 4| ?| 1796| | 2| 2| 4| 94| 6| ?| 1796| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 1| 2| 96| 4| ?| 1796| | 2| 2| 4| 94| 6| ?| 1796| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 0| 100| 0| ?| 1652| | 2| 0| 1| 99| 1| ?| 1652| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 0| 100| 0| ?| 1652| | 2| 0| 1| 99| 1| ?| 1652| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 1| 0| 100| 0| ?| 1600| | 2| 0| 1| 99| 1| ?| 1600| --------------------------------------------------------------------------------- +-----------------------------------------------------------------------------+ | Thanks for using s7pac | +-----------------------------------------------------------------------------+