+-----------------------------------------------------------------------------+ | Super Seven Performance Assessment Commands v0.5 (Thanks to Timothy Hall) | +-----------------------------------------------------------------------------+ | Inspecting your environment: OK | | This is a firewall....(continuing) | | | | Referred pagenumbers are to be found in the following book: | | Max Power: Check Point Firewall Performance Optimization - Second Edition | | | | Available at http://www.maxpowerfirewalls.com/ | +-----------------------------------------------------------------------------+ | Command #1: fwaccel stat | | | | Check for : Accelerator Status must be enabled (R77.xx/R80.10 versions) | | Status must be enabled (R80.20 and higher) | | Accept Templates must be enabled | | Message "disabled" from (low rule number) = bad | | | | Chapter 9: SecureXL throughput acceleration | | Page 278 | +-----------------------------------------------------------------------------+ | Output: | +---------------------------------------------------------------------------------+ |Id|Name |Status |Interfaces |Features | +---------------------------------------------------------------------------------+ |0 |SND |enabled |ethsBP1,ethsBP5,ethsBP2, |Acceleration,Cryptography | | | | |ethsBP6,ethsBP3, | | | | | |ethsBP1-01,ethsBP7, |Crypto: Tunnel,UDPEncap,MD5, | | | | |ethsBP4,ethsBP8, |SHA1,3DES,DES,AES-128,AES-256,| | | | |ethsBP1-02,eth1-05, |ESP,LinkSelection,DynamicVPN, | | | | |eth1-09,eth1-13, |NatTraversal,AES-XCBC,SHA256, | | | | |eth1-Mgmt1,eth1-Sync, |SHA384,SHA512 | | | | |eth1-CIN,eth2-05,eth2-09,| | | | | |eth2-13,eth2-Mgmt1, | | | | | |eth2-Sync,eth2-CIN | | +---------------------------------------------------------------------------------+ Accept Templates : enabled Drop Templates : enabled NAT Templates : enabled +-----------------------------------------------------------------------------+ | Command #2: fwaccel stats -s | | | | Check for : Accelerated conns/Totals conns: >25% good, >50% great | | Accelerated pkts/Total pkts : >50% great | | PXL pkts/Total pkts : >50% OK | | F2Fed pkts/Total pkts : <30% good, <10% great | | | | Chapter 9: SecureXL throughput acceleration | | Page 287, Packet/Throughput Acceleration: The Three Kernel Paths | +-----------------------------------------------------------------------------+ | Output: | Accelerated conns/Total conns : 17/32257 (0%) Accelerated pkts/Total pkts : 9857276819/12805700113 (76%) F2Fed pkts/Total pkts : 2948423294/12805700113 (23%) F2V pkts/Total pkts : 124660320/12805700113 (0%) CPASXL pkts/Total pkts : 3815305761/12805700113 (29%) PSLXL pkts/Total pkts : 5798498938/12805700113 (45%) CPAS pipeline pkts/Total pkts : 0/12805700113 (0%) PSL pipeline pkts/Total pkts : 0/12805700113 (0%) CPAS inline pkts/Total pkts : 0/12805700113 (0%) PSL inline pkts/Total pkts : 0/12805700113 (0%) QOS inbound pkts/Total pkts : 0/12805700113 (0%) QOS outbound pkts/Total pkts : 0/12805700113 (0%) Corrected pkts/Total pkts : 0/12805700113 (0%) +-----------------------------------------------------------------------------+ | Command #3: grep -c ^processor /proc/cpuinfo && /sbin/cpuinfo | | | | Check for : If number of cores is roughly double what you are excpecting, | | hyperthreading may be enabled | | | | Chapter 7: CoreXL Tuning | | Page 239 | +-----------------------------------------------------------------------------+ | Output: | 8 HyperThreading=enabled +-----------------------------------------------------------------------------+ | Command #4: fw ctl affinity -l -r | | | | Check for : SND/IRQ/Dispatcher Cores, # of CPU's allocated to interface(s) | | Firewall Workers/INSPECT Cores, # of CPU's allocated to fw_x | | R77.30: Support processes executed on ALL CPU's | | R80.xx: Support processes only executed on Firewall Worker Cores| | | | Chapter 7: CoreXL Tuning | | Page 221 | +-----------------------------------------------------------------------------+ | Output: | CPU 0: CPU 1: fw_5 cprid in.asessiond iked in.msd core_uploader fwd mpdaemon in.geod lpd pdpd usrchkd pepd rad in.acapd vpnd wsdnsd cpd cprid CPU 2: fw_3 cprid in.asessiond iked in.msd core_uploader fwd mpdaemon in.geod lpd pdpd usrchkd pepd rad in.acapd vpnd wsdnsd cpd cprid CPU 3: fw_1 cprid in.asessiond iked in.msd core_uploader fwd mpdaemon in.geod lpd pdpd usrchkd pepd rad in.acapd vpnd wsdnsd cpd cprid CPU 4: CPU 5: fw_4 cprid in.asessiond iked in.msd core_uploader fwd mpdaemon in.geod lpd pdpd usrchkd pepd rad in.acapd vpnd wsdnsd cpd cprid CPU 6: fw_2 cprid in.asessiond iked in.msd core_uploader fwd mpdaemon in.geod lpd pdpd usrchkd pepd rad in.acapd vpnd wsdnsd cpd cprid CPU 7: fw_0 cprid in.asessiond iked in.msd core_uploader fwd mpdaemon in.geod lpd pdpd usrchkd pepd rad in.acapd vpnd wsdnsd cpd cprid All: Interface ethsBP1: has multi queue enabled Interface ethsBP5: has multi queue enabled Interface ethsBP2: has multi queue enabled Interface ethsBP6: has multi queue enabled Interface ethsBP3: has multi queue enabled Interface ethsBP1-01: has multi queue enabled Interface ethsBP7: has multi queue enabled Interface ethsBP4: has multi queue enabled Interface ethsBP8: has multi queue enabled Interface ethsBP1-02: has multi queue enabled +-----------------------------------------------------------------------------+ | Command #5: netstat -ni | | | | Check for : RX/TX errors | | RX-DRP % should be <0.1% calculated by (RX-DRP/RX-OK)*100 | | TX-ERR might indicate Fast Ethernet/100Mbps Duplex Mismatch | | | | Chapter 2: Layers 1&2 Performance Optimization | | Page 28-35 | | | | Chapter 7: CoreXL Tuning | | Page 204 | | Page 206 (Network Buffering Misses) | +-----------------------------------------------------------------------------+ | Output: | Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg BPEth0 1500 0 12470898924 0 0 0 11085922182 0 0 0 BMmRU BPEth1 1500 0 62708190 0 0 0 79294395 0 0 0 BMmRU Sync 1500 0 144510717 0 0 0 131530671 0 0 0 BMmRU bond51 1500 0 81617152 0 0 0 106021096 0 0 0 BMmRU bond108 1500 0 7294785445 0 0 0 4609169506 0 0 0 BMmRU bond250 1500 0 5010528329 0 0 0 6316427608 0 0 0 BMmRU ethsBP1 1500 0 0 0 0 0 0 0 0 0 BMU eth1-05 1500 0 5010528388 0 0 0 6316427707 0 0 0 BMsRU eth1-09 1500 0 7294785599 0 0 0 4609169614 0 0 0 BMsRU eth1-13 1500 0 81617154 0 0 0 106021091 0 0 0 BMsRU ethsBP1-01 1500 0 12470743343 0 0 0 11085837071 0 0 0 ABMsRU ethsBP1-02 1500 0 62647249 0 0 0 79293925 0 0 0 ABMsRU ethsBP2 1500 0 0 0 0 0 0 0 0 0 BMU ethsBP3 1500 0 0 0 0 0 0 0 0 0 BMU ethsBP4 1500 0 0 0 0 0 0 0 0 0 BMU ethsBP5 1500 0 0 0 0 0 0 0 0 0 BMU ethsBP6 1500 0 0 0 0 0 0 0 0 0 BMU ethsBP7 1500 0 0 0 0 0 0 0 0 0 BMU ethsBP8 1500 0 0 0 0 0 0 0 0 0 BMU eth1-CIN 1500 0 418780 0 0 0 518744 0 0 0 BMRU eth1-Mgmt1 1500 0 659389 0 0 0 976386 0 0 0 BMsRU eth1-Sync 1500 0 82873653 0 0 0 52814808 0 0 0 BMsRU eth2-05 1500 0 0 0 0 0 0 0 0 0 BMsU eth2-09 1500 0 0 0 0 0 0 0 0 0 BMsU eth2-13 1500 0 0 0 0 0 8 0 0 0 BMsU eth2-CIN 1500 0 424349 0 0 0 525112 0 0 0 BMRU eth2-Mgmt1 1500 0 629561 0 0 0 2 0 0 0 BMsRU eth2-Sync 1500 0 61638171 0 0 0 78715879 0 0 0 BMsRU lo 65536 0 19497320 0 0 0 19497320 0 0 0 LMdPORU magg1 1500 0 1288878 0 0 0 976388 0 0 0 BMmRU interface ethsBP1: There were no RX drops in the past 0.5 seconds interface ethsBP1 rx_missed_errors : 0 interface ethsBP1 rx_fifo_errors : 0 interface ethsBP1 rx_no_buffer_count: 0 interface eth1-05: There were no RX drops in the past 0.5 seconds interface eth1-05 rx_missed_errors : interface eth1-05 rx_fifo_errors : interface eth1-05 rx_no_buffer_count: interface eth1-09: There were no RX drops in the past 0.5 seconds interface eth1-09 rx_missed_errors : interface eth1-09 rx_fifo_errors : interface eth1-09 rx_no_buffer_count: interface eth1-13: There were no RX drops in the past 0.5 seconds interface eth1-13 rx_missed_errors : interface eth1-13 rx_fifo_errors : interface eth1-13 rx_no_buffer_count: interface ethsBP1-01: There were no RX drops in the past 0.5 seconds interface ethsBP1-01 rx_missed_errors : 0 interface ethsBP1-01 rx_fifo_errors : 0 interface ethsBP1-01 rx_no_buffer_count: 0 interface ethsBP1-02: There were no RX drops in the past 0.5 seconds interface ethsBP1-02 rx_missed_errors : 0 interface ethsBP1-02 rx_fifo_errors : 0 interface ethsBP1-02 rx_no_buffer_count: 0 interface ethsBP2: There were no RX drops in the past 0.5 seconds interface ethsBP2 rx_missed_errors : 0 interface ethsBP2 rx_fifo_errors : 0 interface ethsBP2 rx_no_buffer_count: 0 interface ethsBP3: There were no RX drops in the past 0.5 seconds interface ethsBP3 rx_missed_errors : 0 interface ethsBP3 rx_fifo_errors : 0 interface ethsBP3 rx_no_buffer_count: 0 interface ethsBP4: There were no RX drops in the past 0.5 seconds interface ethsBP4 rx_missed_errors : 0 interface ethsBP4 rx_fifo_errors : 0 interface ethsBP4 rx_no_buffer_count: 0 interface ethsBP5: There were no RX drops in the past 0.5 seconds interface ethsBP5 rx_missed_errors : 0 interface ethsBP5 rx_fifo_errors : 0 interface ethsBP5 rx_no_buffer_count: 0 interface ethsBP6: There were no RX drops in the past 0.5 seconds interface ethsBP6 rx_missed_errors : 0 interface ethsBP6 rx_fifo_errors : 0 interface ethsBP6 rx_no_buffer_count: 0 interface ethsBP7: There were no RX drops in the past 0.5 seconds interface ethsBP7 rx_missed_errors : 0 interface ethsBP7 rx_fifo_errors : 0 interface ethsBP7 rx_no_buffer_count: 0 interface ethsBP8: There were no RX drops in the past 0.5 seconds interface ethsBP8 rx_missed_errors : 0 interface ethsBP8 rx_fifo_errors : 0 interface ethsBP8 rx_no_buffer_count: 0 interface eth1-CIN: There were no RX drops in the past 0.5 seconds interface eth1-CIN rx_missed_errors : interface eth1-CIN rx_fifo_errors : interface eth1-CIN rx_no_buffer_count: interface eth1-Mgmt1: There were no RX drops in the past 0.5 seconds interface eth1-Mgmt1 rx_missed_errors : interface eth1-Mgmt1 rx_fifo_errors : interface eth1-Mgmt1 rx_no_buffer_count: interface eth1-Sync: There were no RX drops in the past 0.5 seconds interface eth1-Sync rx_missed_errors : interface eth1-Sync rx_fifo_errors : interface eth1-Sync rx_no_buffer_count: interface eth2-05: There were no RX drops in the past 0.5 seconds interface eth2-05 rx_missed_errors : interface eth2-05 rx_fifo_errors : interface eth2-05 rx_no_buffer_count: interface eth2-09: There were no RX drops in the past 0.5 seconds interface eth2-09 rx_missed_errors : interface eth2-09 rx_fifo_errors : interface eth2-09 rx_no_buffer_count: interface eth2-13: There were no RX drops in the past 0.5 seconds interface eth2-13 rx_missed_errors : interface eth2-13 rx_fifo_errors : interface eth2-13 rx_no_buffer_count: interface eth2-CIN: There were no RX drops in the past 0.5 seconds interface eth2-CIN rx_missed_errors : interface eth2-CIN rx_fifo_errors : interface eth2-CIN rx_no_buffer_count: interface eth2-Mgmt1: There were no RX drops in the past 0.5 seconds interface eth2-Mgmt1 rx_missed_errors : interface eth2-Mgmt1 rx_fifo_errors : interface eth2-Mgmt1 rx_no_buffer_count: interface eth2-Sync: There were no RX drops in the past 0.5 seconds interface eth2-Sync rx_missed_errors : interface eth2-Sync rx_fifo_errors : interface eth2-Sync rx_no_buffer_count: +-----------------------------------------------------------------------------+ | Command #6: fw ctl multik stat | | | | Check for : Large # of conns on Worker 0 - IPSec VPN/VoIP? | | Large imbalance of connections on a single or multiple Workers | | | | Chapter 7: CoreXL Tuning | | Page 241 | | | | Chapter 8: CoreXL VPN Optimization | | Page 256 | +-----------------------------------------------------------------------------+ | Output: | ID | Active | CPU | Connections | Peak ---------------------------------------------- 0 | Yes | 7 | 7023 | 12117 1 | Yes | 3 | 7045 | 11856 2 | Yes | 6 | 6998 | 12380 3 | Yes | 2 | 7150 | 12266 4 | Yes | 5 | 7048 | 11959 5 | Yes | 1 | 6931 | 11686 +-----------------------------------------------------------------------------+ | Command #7: cpstat os -f multi_cpu -o 1 -c 5 | | | | Check for : High SND/IRQ Core Utilization | | High Firewall Worker Core Utilization | | | | Chapter 6: CoreXL & Multi-Queue | | Page 173 | +-----------------------------------------------------------------------------+ | Output: | Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 11| 89| 11| ?| 64280| | 2| 10| 51| 39| 61| ?| 64280| | 3| 9| 52| 39| 61| ?| 63020| | 4| 10| 51| 39| 61| ?| 64280| | 5| 0| 11| 89| 11| ?| 64280| | 6| 9| 51| 39| 61| ?| 63020| | 7| 9| 49| 43| 57| ?| 64280| | 8| 10| 49| 41| 59| ?| 64280| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 11| 89| 11| ?| 64280| | 2| 10| 51| 39| 61| ?| 64280| | 3| 9| 52| 39| 61| ?| 63020| | 4| 10| 51| 39| 61| ?| 64280| | 5| 0| 11| 89| 11| ?| 64280| | 6| 9| 51| 39| 61| ?| 63020| | 7| 9| 49| 43| 57| ?| 64280| | 8| 10| 49| 41| 59| ?| 64280| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 10| 90| 10| ?| 127728| | 2| 8| 49| 43| 57| ?| 127730| | 3| 11| 48| 41| 59| ?| 63860| | 4| 10| 45| 45| 55| ?| 127720| | 5| 0| 11| 90| 10| ?| 63861| | 6| 8| 48| 44| 56| ?| 63860| | 7| 8| 45| 47| 53| ?| 127721| | 8| 8| 42| 50| 50| ?| 127720| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 10| 90| 10| ?| 127728| | 2| 8| 49| 43| 57| ?| 127730| | 3| 11| 48| 41| 59| ?| 63860| | 4| 10| 45| 45| 55| ?| 127720| | 5| 0| 11| 90| 10| ?| 63861| | 6| 8| 48| 44| 56| ?| 63860| | 7| 8| 45| 47| 53| ?| 127721| | 8| 8| 42| 50| 50| ?| 127720| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 10| 90| 10| ?| 127715| | 2| 5| 42| 54| 46| ?| 127715| | 3| 5| 44| 51| 49| ?| 127715| | 4| 4| 46| 49| 51| ?| 127715| | 5| 0| 11| 89| 11| ?| 127714| | 6| 3| 39| 58| 42| ?| 127714| | 7| 5| 41| 54| 46| ?| 127711| | 8| 4| 49| 48| 52| ?| 127712| --------------------------------------------------------------------------------- +-----------------------------------------------------------------------------+ | Thanks for using s7pac | +-----------------------------------------------------------------------------+