+-----------------------------------------------------------------------------+ | Super Seven Performance Assessment Commands v0.5 (Thanks to Timothy Hall) | +-----------------------------------------------------------------------------+ | Inspecting your environment: OK(B | | This is a firewall....(continuing) | | | | Referred pagenumbers are to be found in the following book: | | Max Power: Check Point Firewall Performance Optimization - Second Edition | | | | Available at http://www.maxpowerfirewalls.com/ | | | +-----------------------------------------------------------------------------+ | Command #1: fwaccel stat | | | | Check for : Accelerator Status must be enabled (R77.xx/R80.10 versions) | | Status must be enabled (R80.20 and higher) | | Accept Templates must be enabled | | Message "disabled" from (low rule number) = bad | | | | Chapter 9: SecureXL throughput acceleration | | Page 278 | +-----------------------------------------------------------------------------+ | Output: | +---------------------------------------------------------------------------------+ |Id|Name |Status |Interfaces |Features | +---------------------------------------------------------------------------------+ |0 |KPPAK |enabled |eth0,eth1 |Acceleration,Cryptography | | | | | | | | | | | |Crypto: Tunnel,UDPEncap,MD5, | | | | | |SHA1,3DES,DES,AES-128,AES-256,| | | | | |ESP,LinkSelection,DynamicVPN, | | | | | |NatTraversal,AES-XCBC,SHA256, | | | | | |SHA384,SHA512 | +---------------------------------------------------------------------------------+ Accept Templates : enabled Drop Templates : disabled NAT Templates : enabled LightSpeed Accel : disabled +-----------------------------------------------------------------------------+ | Command #2: fwaccel stats -s | | | | Check for : Accelerated conns/Totals conns: >25% good, >50% great | | Accelerated pkts/Total pkts : >50% great | | PXL pkts/Total pkts : >50% OK | | F2Fed pkts/Total pkts : <30% good, <10% great | | | | Chapter 9: SecureXL throughput acceleration | | Page 287, Packet/Throughput Acceleration: The Three Kernel Paths | +-----------------------------------------------------------------------------+ | Output: | Accelerated conns/Total conns : 2/2 (100%) LightSpeed conns/Total conns : 0/2 (0%) Accelerated pkts/Total pkts : 2090/795363 (0%) LightSpeed pkts/Total pkts : 0/795363 (0%) F2Fed pkts/Total pkts : 793273/795363 (99%) F2V pkts/Total pkts : 170/795363 (0%) CPASXL pkts/Total pkts : 0/795363 (0%) PSLXL pkts/Total pkts : 0/795363 (0%) CPAS pipeline pkts/Total pkts : 0/795363 (0%) PSL pipeline pkts/Total pkts : 0/795363 (0%) QOS inbound pkts/Total pkts : 0/795363 (0%) QOS outbound pkts/Total pkts : 0/795363 (0%) Corrected pkts/Total pkts : 0/795363 (0%) +-----------------------------------------------------------------------------+ | Command #3: grep -c ^processor /proc/cpuinfo && /sbin/cpuinfo | | | | Check for : If number of cores is roughly double what you are excpecting, | | hyperthreading may be enabled | | | | Chapter 7: CoreXL Tuning | | Page 239 | +-----------------------------------------------------------------------------+ | Output: | 8 +-----------------------------------------------------------------------------+ | Command #4: fw ctl affinity -l -r | | | | Check for : SND/IRQ/Dispatcher Cores, # of CPU's allocated to interface(s) | | Firewall Workers/INSPECT Cores, # of CPU's allocated to fw_x | | R77.30: Support processes executed on ALL CPU's | | R80.xx: Support processes only executed on Firewall Worker Cores| | | | Chapter 7: CoreXL Tuning | | Page 221 | +-----------------------------------------------------------------------------+ | Output: | CPU 0: CPU 1: CPU 2: fw_5 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 3: fw_4 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 4: fw_3 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 5: fw_2 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 6: fw_1 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 7: fw_0 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd All: CPU 0: CPU 1: CPU 2: fw_5 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 3: fw_4 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 4: fw_3 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 5: fw_2 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 6: fw_1 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 7: fw_0 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd All: CPU 0: CPU 1: CPU 2: fw_5 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 3: fw_4 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 4: fw_3 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 5: fw_2 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 6: fw_1 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 7: fw_0 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd All: CPU 0: CPU 1: CPU 2: fw_5 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 3: fw_4 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 4: fw_3 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 5: fw_2 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 6: fw_1 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 7: fw_0 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd All: CPU 0: CPU 1: CPU 2: fw_5 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 3: fw_4 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 4: fw_3 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 5: fw_2 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 6: fw_1 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 7: fw_0 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd All: CPU 0: CPU 1: CPU 2: fw_5 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 3: fw_4 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 4: fw_3 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 5: fw_2 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 6: fw_1 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 7: fw_0 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd All: CPU 0: CPU 1: CPU 2: fw_5 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 3: fw_4 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 4: fw_3 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 5: fw_2 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 6: fw_1 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 7: fw_0 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd All: CPU 0: CPU 1: CPU 2: fw_5 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 3: fw_4 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 4: fw_3 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 5: fw_2 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 6: fw_1 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 7: fw_0 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd All: CPU 0: CPU 1: CPU 2: fw_5 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 3: fw_4 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 4: fw_3 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 5: fw_2 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 6: fw_1 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd CPU 7: fw_0 (active) cprid lpd mpdaemon fwd core_uploader in.asessiond cprid cpd msgd All: Interface eth0: has multi queue enabled Interface eth1: has multi queue enabled +-----------------------------------------------------------------------------+ | Command #5: netstat -ni | | | | Check for : RX/TX errors | | RX-DRP % should be <0.1% calculated by (RX-DRP/RX-OK)*100 | | TX-ERR might indicate Fast Ethernet/100Mbps Duplex Mismatch | | | | Chapter 2: Layers 1&2 Performance Optimization | | Page 28-35 | | | | Chapter 7: CoreXL Tuning | | Page 204 | | Page 206 (Network Buffering Misses) | +-----------------------------------------------------------------------------+ | Output: | Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 382918 0 0 0 193335 0 0 0 BMRU eth1 1500 0 18082 0 0 0 13838 0 0 0 BMRU lo 65536 0 9173 0 0 0 9173 0 0 0 ALMNRU interface eth0: There were no RX drops in the past 0.5 seconds(B interface eth0 rx_missed_errors : interface eth0 rx_fifo_errors : interface eth0 rx_no_buffer_count: interface eth1: There were no RX drops in the past 0.5 seconds(B interface eth1 rx_missed_errors : interface eth1 rx_fifo_errors : interface eth1 rx_no_buffer_count: +-----------------------------------------------------------------------------+ | Command #6: fw ctl multik stat | | | | Check for : Large # of conns on Worker 0 - IPSec VPN/VoIP? | | Large imbalance of connections on a single or multiple Workers | | | | Chapter 7: CoreXL Tuning | | Page 241 | | | | Chapter 8: CoreXL VPN Optimization | | Page 256 | +-----------------------------------------------------------------------------+ | Output: | ID | Active | CPU | Connections | Peak ----------------------------------------------- 0 | Yes | 7 | 0 | 13 1 | Yes | 6 | 0 | 15 2 | Yes | 5 | 1 | 16 3 | Yes | 4 | 3 | 16 4 | Yes | 3 | 1 | 12 5 | Yes | 2 | 2 | 14 +-----------------------------------------------------------------------------+ | Command #7: cpstat os -f multi_cpu -o 1 -c 5 | | | | Check for : High SND/IRQ Core Utilization | | High Firewall Worker Core Utilization | | | | Chapter 6: CoreXL & Multi-Queue | | Page 173 | +-----------------------------------------------------------------------------+ | Output: | Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 1| 99| 1| ?| 2625| | 2| 0| 1| 99| 1| ?| 2625| | 3| 4| 4| 92| 8| ?| 3281| | 4| 1| 3| 96| 4| ?| 3281| | 5| 1| 2| 97| 3| ?| 3281| | 6| 1| 4| 95| 5| ?| 3281| | 7| 1| 3| 96| 4| ?| 3281| | 8| 3| 4| 93| 7| ?| 3281| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 1| 99| 1| ?| 2625| | 2| 0| 1| 99| 1| ?| 2625| | 3| 4| 4| 92| 8| ?| 3281| | 4| 1| 3| 96| 4| ?| 3281| | 5| 1| 2| 97| 3| ?| 3281| | 6| 1| 4| 95| 5| ?| 3281| | 7| 1| 3| 96| 4| ?| 3281| | 8| 3| 4| 93| 7| ?| 3281| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 0| 100| 0| ?| 3414| | 2| 0| 0| 100| 0| ?| 1708| | 3| 1| 1| 99| 1| ?| 3418| | 4| 0| 0| 100| 0| ?| 3418| | 5| 0| 1| 99| 1| ?| 3418| | 6| 0| 0| 100| 0| ?| 3418| | 7| 1| 1| 99| 1| ?| 1709| | 8| 1| 0| 99| 1| ?| 3418| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 0| 100| 0| ?| 3414| | 2| 0| 0| 100| 0| ?| 1708| | 3| 1| 1| 99| 1| ?| 3418| | 4| 0| 0| 100| 0| ?| 3418| | 5| 0| 1| 99| 1| ?| 3418| | 6| 0| 0| 100| 0| ?| 3418| | 7| 1| 1| 99| 1| ?| 1709| | 8| 1| 0| 99| 1| ?| 3418| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 0| 100| 0| ?| 1686| | 2| 0| 0| 100| 0| ?| 3372| | 3| 0| 1| 99| 1| ?| 3371| | 4| 0| 1| 100| 0| ?| 1685| | 5| 1| 0| 100| 0| ?| 1685| | 6| 0| 1| 99| 1| ?| 3371| | 7| 0| 0| 100| 0| ?| 3371| | 8| 0| 1| 99| 1| ?| 3371| --------------------------------------------------------------------------------- +-----------------------------------------------------------------------------+ | Thanks for using s7pac | +-----------------------------------------------------------------------------+