+-----------------------------------------------------------------------------+ | Super Seven Performance Assessment Commands v0.4 (Thanks to Timothy Hall) | +-----------------------------------------------------------------------------+ | Inspecting your environment: OK(B | | This is a firewall....(continuing) | | | | Referred pagenumbers are to be found in the following book: | | Max Power: Check Point Firewall Performance Optimization - Second Edition | | | | Available at http://www.maxpowerfirewalls.com/ | | | +-----------------------------------------------------------------------------+ | Command #1: fwaccel stat | | | | Check for : Accelerator Status must be enabled (R77.xx/R80.10 versions) | | Status must be enabled (R80.20 and higher) | | Accept Templates must be enabled | | Message "disabled" from (low rule number) = bad | | | | Chapter 9: SecureXL throughput acceleration | | Page 278 | +-----------------------------------------------------------------------------+ | Output: | Accelerator Status : on Accept Templates : disabled by Firewall Layer Network disables template offloads from rule #73 Throughput acceleration still enabled. Drop Templates : disabled NAT Templates : disabled by user NMR Templates : enabled NMT Templates : enabled Accelerator Features : Accounting, NAT, Cryptography, Routing, HasClock, Templates, Synchronous, IdleDetection, Sequencing, TcpStateDetect, AutoExpire, DelayedNotif, TcpStateDetectV2, CPLS, McastRouting, WireMode, DropTemplates, NatTemplates, Streaming, MultiFW, AntiSpoofing, Nac, ViolationStats, AsychronicNotif, ERDOS, McastRoutingV2, NMR, NMT, NAT64, GTPAcceleration, SCTPAcceleration Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL, 3DES, DES, CAST, CAST-40, AES-128, AES-256, ESP, LinkSelection, DynamicVPN, NatTraversal, EncRouting, AES-XCBC, SHA256 +-----------------------------------------------------------------------------+ | Command #2: fwaccel stats -s | | | | Check for : Accelerated conns/Totals conns: >25% good, >50% great | | Accelerated pkts/Total pkts : >50% great | | PXL pkts/Total pkts : >50% OK | | F2Fed pkts/Total pkts : <30% good, <10% great | | | | Chapter 9: SecureXL throughput acceleration | | Page 287, Packet/Throughput Acceleration: The Three Kernel Paths | +-----------------------------------------------------------------------------+ | Output: | Accelerated conns/Total conns : 0/36 (0%) Accelerated pkts/Total pkts : 0/315842028 (0%) F2Fed pkts/Total pkts : 315842028/315842028 (100%) PXL pkts/Total pkts : 0/315842028 (0%) QXL pkts/Total pkts : 0/315842028 (0%) +-----------------------------------------------------------------------------+ | Command #3: grep -c ^processor /proc/cpuinfo && /sbin/cpuinfo | | | | Check for : If number of cores is roughly double what you are excpecting, | | hyperthreading may be enabled | | | | Chapter 7: CoreXL Tuning | | Page 239 | +-----------------------------------------------------------------------------+ | Output: | 6 HyperThreading=disabled +-----------------------------------------------------------------------------+ | Command #4: fw ctl affinity -l -r | | | | Check for : SND/IRQ/Dispatcher Cores, # of CPU's allocated to interface(s) | | Firewall Workers/INSPECT Cores, # of CPU's allocated to fw_x | | R77.30: Support processes executed on ALL CPU's | | R80.xx: Support processes only executed on Firewall Worker Cores| | | | Chapter 7: CoreXL Tuning | | Page 221 | +-----------------------------------------------------------------------------+ | Output: | CPU 0: eth2-01 eth1-01 eth2-02 eth3-05 eth3-06 eth3-07 eth3-02 CPU 1: Sync Mgmt eth1-03 eth2-03 eth3-01 eth3-03 CPU 2: fw_3 lpd rtmd vpnd in.asessiond mpdaemon fwd cplmd cpca fwm cprid cpd CPU 3: fw_2 lpd rtmd vpnd in.asessiond mpdaemon fwd cplmd cpca fwm cprid cpd CPU 4: fw_1 lpd rtmd vpnd in.asessiond mpdaemon fwd cplmd cpca fwm cprid cpd CPU 5: fw_0 lpd rtmd vpnd in.asessiond mpdaemon fwd cplmd cpca fwm cprid cpd All: +-----------------------------------------------------------------------------+ | Command #5: netstat -ni | | | | Check for : RX/TX errors | | RX-DRP % should be <0.1% calculated by (RX-DRP/RX-OK)*100 | | TX-ERR might indicate Fast Ethernet/100Mbps Duplex Mismatch | | | | Chapter 2: Layers 1&2 Performance Optimization | | Page 28-35 | | | | Chapter 7: CoreXL Tuning | | Page 204 | +-----------------------------------------------------------------------------+ | Output: | Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg Mgmt 1500 0 95868 0 0 0 89 0 0 0 BMRU Sync 1500 0 1321471775 0 0 0 233359220 0 0 0 BMRU bond0 1500 0 1002831489 0 0 0 2679361965 0 0 0 BMmRU bond1 1500 0 5779108279 0 0 0 1730725191 0 0 0 BMmRU eth1-01 1500 0 258887247 0 18153845 18153845 109252708 0 0 0 BMRU eth1-03 1500 0 91007956 0 19271801 19271801 122164607 0 0 0 BMRU eth2-01 1500 0 1127848613 1 0 0 3652400924 0 0 0 BMRU eth2-02 1500 0 1002831489 0 0 0 2679361965 0 0 0 BMsRU eth2-03 1500 0 5779108279 0 0 0 1730725191 0 0 0 BMsRU eth3-01 1500 0 0 0 0 0 0 0 0 0 BMU eth3-02 1500 0 0 0 0 0 0 0 0 0 BMU eth3-03 1500 0 37226066 0 0 0 37128341 0 0 0 BMRU eth3-05 1500 0 0 0 0 0 0 0 0 0 BMU eth3-06 1500 0 0 0 0 0 0 0 0 0 BMU eth3-07 1500 0 191875272 0 0 0 65145065 0 0 0 BMRU lo 16436 0 101917599 0 0 0 101917599 0 0 0 LRU interface eth1-01: There are RX drops(B interface eth1-01: RX-DRP percentage is 7.01226% (must be <0.1%) See page 206 (Network Buffering Misses). interface eth1-03: There are RX drops(B interface eth1-03: RX-DRP percentage is 21.176% (must be <0.1%) See page 206 (Network Buffering Misses). interface eth2-01: There are no RX drops(B interface eth2-02: There are no RX drops(B interface eth2-03: There are no RX drops(B interface eth3-01: There are no RX drops(B interface eth3-02: There are no RX drops(B interface eth3-03: There are no RX drops(B interface eth3-05: There are no RX drops(B interface eth3-06: There are no RX drops(B interface eth3-07: There are no RX drops(B +-----------------------------------------------------------------------------+ | Command #6: fw ctl multik stat | | | | Check for : Large # of conns on Worker 0 - IPSec VPN/VoIP? | | Large imbalance of connections on a single or multiple Workers | | | | Chapter 7: CoreXL Tuning | | Page 241 | | | | Chapter 8: CoreXL VPN Optimization | | Page 256 | +-----------------------------------------------------------------------------+ | Output: | ID | Active | CPU | Connections | Peak ---------------------------------------------- 0 | Yes | 5 | 3974 | 7499 1 | Yes | 4 | 3971 | 7118 2 | Yes | 3 | 5230 | 8052 3 | Yes | 2 | 4184 | 8220 +-----------------------------------------------------------------------------+ | Command #7: cpstat os -f multi_cpu -o 1 -c 5 | | | | Check for : High SND/IRQ Core Utilization | | High Firewall Worker Core Utilization | | | | Chapter 6: CoreXL & Multi-Queue | | Page 173 | +-----------------------------------------------------------------------------+ | Output: | Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 0| 100| 0| ?| 157| | 2| 0| 1| 99| 1| ?| 157| | 3| 1| 7| 92| 8| ?| 158| | 4| 2| 7| 91| 9| ?| 158| | 5| 2| 5| 94| 6| ?| 158| | 6| 1| 4| 95| 5| ?| 158| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 0| 100| 0| ?| 157| | 2| 0| 1| 99| 1| ?| 157| | 3| 1| 7| 92| 8| ?| 158| | 4| 2| 7| 91| 9| ?| 158| | 5| 2| 5| 94| 6| ?| 158| | 6| 1| 4| 95| 5| ?| 158| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 0| 100| 0| ?| 1683| | 2| 0| 1| 99| 1| ?| 1683| | 3| 0| 1| 99| 1| ?| 3366| | 4| 3| 1| 97| 3| ?| 3366| | 5| 1| 1| 99| 1| ?| 1683| | 6| 2| 1| 97| 3| ?| 1683| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 0| 100| 0| ?| 1683| | 2| 0| 1| 99| 1| ?| 1683| | 3| 0| 1| 99| 1| ?| 3366| | 4| 3| 1| 97| 3| ?| 3366| | 5| 1| 1| 99| 1| ?| 1683| | 6| 2| 1| 97| 3| ?| 1683| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 0| 100| 0| ?| 1652| | 2| 0| 0| 100| 0| ?| 1652| | 3| 0| 1| 100| 0| ?| 1652| | 4| 0| 1| 99| 1| ?| 1652| | 5| 0| 1| 99| 1| ?| 1652| | 6| 1| 1| 99| 1| ?| 1652| --------------------------------------------------------------------------------- +-----------------------------------------------------------------------------+ | Thanks for using s7pac | +-----------------------------------------------------------------------------+