+-----------------------------------------------------------------------------+ | Super Seven Performance Assessment Commands v0.5 (Thanks to Timothy Hall) | +-----------------------------------------------------------------------------+ | Inspecting your environment: OK | | This is a firewall....(continuing) | | | | Referred pagenumbers are to be found in the following book: | | Max Power: Check Point Firewall Performance Optimization - Second Edition | | | | Available at http://www.maxpowerfirewalls.com/ | +-----------------------------------------------------------------------------+ | Command #1: fwaccel stat | | | | Check for : Accelerator Status must be enabled (R77.xx/R80.10 versions) | | Status must be enabled (R80.20 and higher) | | Accept Templates must be enabled | | Message "disabled" from (low rule number) = bad | | | | Chapter 9: SecureXL throughput acceleration | | Page 278 | +-----------------------------------------------------------------------------+ | Output: | +---------------------------------------------------------------------------------+ |Id|Name |Status |Interfaces |Features | +---------------------------------------------------------------------------------+ |0 |SND |enabled |ethsBP1,ethsBP5,ethsBP2, |Acceleration,Cryptography | | | | |ethsBP6,ethsBP1-01, | | | | | |ethsBP3,ethsBP7,ethsBP4, |Crypto: Tunnel,UDPEncap,MD5, | | | | |ethsBP8,ethsBP1-02, |SHA1,3DES,DES,AES-128,AES-256,| | | | |eth1-05,eth1-09,eth1-13, |ESP,LinkSelection,DynamicVPN, | | | | |eth1-Mgmt1,eth1-Sync, |NatTraversal,AES-XCBC,SHA256, | | | | |eth1-CIN,eth2-05,eth2-09,|SHA384,SHA512 | | | | |eth2-13,eth2-Mgmt1, | | | | | |eth2-Sync,eth2-CIN | | +---------------------------------------------------------------------------------+ Accept Templates : enabled Drop Templates : enabled NAT Templates : enabled +-----------------------------------------------------------------------------+ | Command #2: fwaccel stats -s | | | | Check for : Accelerated conns/Totals conns: >25% good, >50% great | | Accelerated pkts/Total pkts : >50% great | | PXL pkts/Total pkts : >50% OK | | F2Fed pkts/Total pkts : <30% good, <10% great | | | | Chapter 9: SecureXL throughput acceleration | | Page 287, Packet/Throughput Acceleration: The Three Kernel Paths | +-----------------------------------------------------------------------------+ | Output: | Accelerated conns/Total conns : 77/32251 (0%) Accelerated pkts/Total pkts : 11073560329/14174457263 (78%) F2Fed pkts/Total pkts : 3100896934/14174457263 (21%) F2V pkts/Total pkts : 124813155/14174457263 (0%) CPASXL pkts/Total pkts : 3493355177/14174457263 (24%) PSLXL pkts/Total pkts : 6304455277/14174457263 (44%) CPAS pipeline pkts/Total pkts : 0/14174457263 (0%) PSL pipeline pkts/Total pkts : 0/14174457263 (0%) CPAS inline pkts/Total pkts : 0/14174457263 (0%) PSL inline pkts/Total pkts : 0/14174457263 (0%) QOS inbound pkts/Total pkts : 0/14174457263 (0%) QOS outbound pkts/Total pkts : 0/14174457263 (0%) Corrected pkts/Total pkts : 0/14174457263 (0%) +-----------------------------------------------------------------------------+ | Command #3: grep -c ^processor /proc/cpuinfo && /sbin/cpuinfo | | | | Check for : If number of cores is roughly double what you are excpecting, | | hyperthreading may be enabled | | | | Chapter 7: CoreXL Tuning | | Page 239 | +-----------------------------------------------------------------------------+ | Output: | 8 HyperThreading=enabled +-----------------------------------------------------------------------------+ | Command #4: fw ctl affinity -l -r | | | | Check for : SND/IRQ/Dispatcher Cores, # of CPU's allocated to interface(s) | | Firewall Workers/INSPECT Cores, # of CPU's allocated to fw_x | | R77.30: Support processes executed on ALL CPU's | | R80.xx: Support processes only executed on Firewall Worker Cores| | | | Chapter 7: CoreXL Tuning | | Page 221 | +-----------------------------------------------------------------------------+ | Output: | CPU 0: CPU 1: fw_5 rad vpnd pepd pdpd in.msd wsdnsd iked lpd in.asessiond fwd core_uploader in.geod in.acapd usrchkd mpdaemon cprid cpd cprid CPU 2: fw_3 rad vpnd pepd pdpd in.msd wsdnsd iked lpd in.asessiond fwd core_uploader in.geod in.acapd usrchkd mpdaemon cprid cpd cprid CPU 3: fw_1 rad vpnd pepd pdpd in.msd wsdnsd iked lpd in.asessiond fwd core_uploader in.geod in.acapd usrchkd mpdaemon cprid cpd cprid CPU 4: CPU 5: fw_4 rad vpnd pepd pdpd in.msd wsdnsd iked lpd in.asessiond fwd core_uploader in.geod in.acapd usrchkd mpdaemon cprid cpd cprid CPU 6: fw_2 rad vpnd pepd pdpd in.msd wsdnsd iked lpd in.asessiond fwd core_uploader in.geod in.acapd usrchkd mpdaemon cprid cpd cprid CPU 7: fw_0 rad vpnd pepd pdpd in.msd wsdnsd iked lpd in.asessiond fwd core_uploader in.geod in.acapd usrchkd mpdaemon cprid cpd cprid All: Interface ethsBP1: has multi queue enabled Interface ethsBP5: has multi queue enabled Interface ethsBP2: has multi queue enabled Interface ethsBP6: has multi queue enabled Interface ethsBP1-01: has multi queue enabled Interface ethsBP3: has multi queue enabled Interface ethsBP7: has multi queue enabled Interface ethsBP4: has multi queue enabled Interface ethsBP8: has multi queue enabled Interface ethsBP1-02: has multi queue enabled +-----------------------------------------------------------------------------+ | Command #5: netstat -ni | | | | Check for : RX/TX errors | | RX-DRP % should be <0.1% calculated by (RX-DRP/RX-OK)*100 | | TX-ERR might indicate Fast Ethernet/100Mbps Duplex Mismatch | | | | Chapter 2: Layers 1&2 Performance Optimization | | Page 28-35 | | | | Chapter 7: CoreXL Tuning | | Page 204 | | Page 206 (Network Buffering Misses) | +-----------------------------------------------------------------------------+ | Output: | Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg BPEth0 1500 0 13766512591 0 0 0 12419911042 0 0 0 BMmRU BPEth1 1500 0 86743839 0 0 0 70442995 0 0 0 BMmRU Sync 1500 0 131361930 0 0 0 144171871 0 0 0 BMmRU bond51 1500 0 89473981 0 0 0 106903230 0 0 0 BMmRU bond108 1500 0 8323352201 0 0 0 4862461678 0 0 0 BMmRU bond250 1500 0 5277732711 0 0 0 7358174358 0 0 0 BMmRU ethsBP1 1500 0 0 0 0 0 0 0 0 0 BMU eth1-05 1500 0 5277732729 0 0 0 7358174371 0 0 0 BMsRU eth1-09 1500 0 8323352271 0 0 0 4862461703 0 0 0 BMsRU eth1-13 1500 0 89473988 0 0 0 106903227 0 0 0 BMsRU ethsBP1-01 1500 0 13766301672 0 0 0 12419833931 0 0 0 ABMsRU ethsBP1-02 1500 0 86742727 0 0 0 70434848 0 0 0 ABMsRU ethsBP2 1500 0 0 0 0 0 0 0 0 0 BMU ethsBP3 1500 0 0 0 0 0 0 0 0 0 BMU ethsBP4 1500 0 0 0 0 0 0 0 0 0 BMU ethsBP5 1500 0 0 0 0 0 0 0 0 0 BMU ethsBP6 1500 0 0 0 0 0 0 0 0 0 BMU ethsBP7 1500 0 0 0 0 0 0 0 0 0 BMU ethsBP8 1500 0 0 0 0 0 0 0 0 0 BMU eth1-CIN 1500 0 7425171 0 0 0 8854564 0 0 0 BMRU eth1-Mgmt1 1500 0 15818074 0 0 0 836723 0 0 0 BMsRU eth1-Sync 1500 0 52694359 0 0 0 82634861 0 0 0 BMsRU eth2-05 1500 0 0 0 0 0 1 0 0 0 BMsU eth2-09 1500 0 0 0 0 0 1 0 0 0 BMsU eth2-13 1500 0 0 0 0 0 8 0 0 0 BMsU eth2-CIN 1500 0 7430315 0 0 0 8852774 0 0 0 BMRU eth2-Mgmt1 1500 0 628170 0 0 0 3 0 0 0 BMsRU eth2-Sync 1500 0 78668572 0 0 0 61537016 0 0 0 BMsRU lo 65536 0 39001841 0 0 0 39001841 0 0 0 LMdNRU magg1 1500 0 16446155 0 0 0 836726 0 0 0 BMmRU interface ethsBP1: There were no RX drops in the past 0.5 seconds interface ethsBP1 rx_missed_errors : 0 interface ethsBP1 rx_fifo_errors : 0 interface ethsBP1 rx_no_buffer_count: 0 interface eth1-05: There were no RX drops in the past 0.5 seconds interface eth1-05 rx_missed_errors : interface eth1-05 rx_fifo_errors : interface eth1-05 rx_no_buffer_count: interface eth1-09: There were no RX drops in the past 0.5 seconds interface eth1-09 rx_missed_errors : interface eth1-09 rx_fifo_errors : interface eth1-09 rx_no_buffer_count: interface eth1-13: There were no RX drops in the past 0.5 seconds interface eth1-13 rx_missed_errors : interface eth1-13 rx_fifo_errors : interface eth1-13 rx_no_buffer_count: interface ethsBP1-01: There were no RX drops in the past 0.5 seconds interface ethsBP1-01 rx_missed_errors : 0 interface ethsBP1-01 rx_fifo_errors : 0 interface ethsBP1-01 rx_no_buffer_count: 0 interface ethsBP1-02: There were no RX drops in the past 0.5 seconds interface ethsBP1-02 rx_missed_errors : 0 interface ethsBP1-02 rx_fifo_errors : 0 interface ethsBP1-02 rx_no_buffer_count: 0 interface ethsBP2: There were no RX drops in the past 0.5 seconds interface ethsBP2 rx_missed_errors : 0 interface ethsBP2 rx_fifo_errors : 0 interface ethsBP2 rx_no_buffer_count: 0 interface ethsBP3: There were no RX drops in the past 0.5 seconds interface ethsBP3 rx_missed_errors : 0 interface ethsBP3 rx_fifo_errors : 0 interface ethsBP3 rx_no_buffer_count: 0 interface ethsBP4: There were no RX drops in the past 0.5 seconds interface ethsBP4 rx_missed_errors : 0 interface ethsBP4 rx_fifo_errors : 0 interface ethsBP4 rx_no_buffer_count: 0 interface ethsBP5: There were no RX drops in the past 0.5 seconds interface ethsBP5 rx_missed_errors : 0 interface ethsBP5 rx_fifo_errors : 0 interface ethsBP5 rx_no_buffer_count: 0 interface ethsBP6: There were no RX drops in the past 0.5 seconds interface ethsBP6 rx_missed_errors : 0 interface ethsBP6 rx_fifo_errors : 0 interface ethsBP6 rx_no_buffer_count: 0 interface ethsBP7: There were no RX drops in the past 0.5 seconds interface ethsBP7 rx_missed_errors : 0 interface ethsBP7 rx_fifo_errors : 0 interface ethsBP7 rx_no_buffer_count: 0 interface ethsBP8: There were no RX drops in the past 0.5 seconds interface ethsBP8 rx_missed_errors : 0 interface ethsBP8 rx_fifo_errors : 0 interface ethsBP8 rx_no_buffer_count: 0 interface eth1-CIN: There were no RX drops in the past 0.5 seconds interface eth1-CIN rx_missed_errors : interface eth1-CIN rx_fifo_errors : interface eth1-CIN rx_no_buffer_count: interface eth1-Mgmt1: There were no RX drops in the past 0.5 seconds interface eth1-Mgmt1 rx_missed_errors : interface eth1-Mgmt1 rx_fifo_errors : interface eth1-Mgmt1 rx_no_buffer_count: interface eth1-Sync: There were no RX drops in the past 0.5 seconds interface eth1-Sync rx_missed_errors : interface eth1-Sync rx_fifo_errors : interface eth1-Sync rx_no_buffer_count: interface eth2-05: There were no RX drops in the past 0.5 seconds interface eth2-05 rx_missed_errors : interface eth2-05 rx_fifo_errors : interface eth2-05 rx_no_buffer_count: interface eth2-09: There were no RX drops in the past 0.5 seconds interface eth2-09 rx_missed_errors : interface eth2-09 rx_fifo_errors : interface eth2-09 rx_no_buffer_count: interface eth2-13: There were no RX drops in the past 0.5 seconds interface eth2-13 rx_missed_errors : interface eth2-13 rx_fifo_errors : interface eth2-13 rx_no_buffer_count: interface eth2-CIN: There were no RX drops in the past 0.5 seconds interface eth2-CIN rx_missed_errors : interface eth2-CIN rx_fifo_errors : interface eth2-CIN rx_no_buffer_count: interface eth2-Mgmt1: There were no RX drops in the past 0.5 seconds interface eth2-Mgmt1 rx_missed_errors : interface eth2-Mgmt1 rx_fifo_errors : interface eth2-Mgmt1 rx_no_buffer_count: interface eth2-Sync: There were no RX drops in the past 0.5 seconds interface eth2-Sync rx_missed_errors : interface eth2-Sync rx_fifo_errors : interface eth2-Sync rx_no_buffer_count: +-----------------------------------------------------------------------------+ | Command #6: fw ctl multik stat | | | | Check for : Large # of conns on Worker 0 - IPSec VPN/VoIP? | | Large imbalance of connections on a single or multiple Workers | | | | Chapter 7: CoreXL Tuning | | Page 241 | | | | Chapter 8: CoreXL VPN Optimization | | Page 256 | +-----------------------------------------------------------------------------+ | Output: | ID | Active | CPU | Connections | Peak ---------------------------------------------- 0 | Yes | 7 | 6892 | 12148 1 | Yes | 3 | 7182 | 11920 2 | Yes | 6 | 7127 | 12425 3 | Yes | 2 | 7132 | 12267 4 | Yes | 5 | 7040 | 11967 5 | Yes | 1 | 7004 | 11688 +-----------------------------------------------------------------------------+ | Command #7: cpstat os -f multi_cpu -o 1 -c 5 | | | | Check for : High SND/IRQ Core Utilization | | High Firewall Worker Core Utilization | | | | Chapter 6: CoreXL & Multi-Queue | | Page 173 | +-----------------------------------------------------------------------------+ | Output: | Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 13| 87| 13| ?| 98088| | 2| 16| 54| 31| 69| ?| 98083| | 3| 13| 61| 26| 74| ?| 98075| | 4| 17| 55| 28| 72| ?| 98075| | 5| 1| 12| 87| 13| ?| 98071| | 6| 16| 56| 28| 72| ?| 98068| | 7| 14| 59| 27| 73| ?| 98065| | 8| 10| 57| 32| 68| ?| 98063| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 13| 87| 13| ?| 98088| | 2| 16| 54| 31| 69| ?| 98083| | 3| 13| 61| 26| 74| ?| 98075| | 4| 17| 55| 28| 72| ?| 98075| | 5| 1| 12| 87| 13| ?| 98071| | 6| 16| 56| 28| 72| ?| 98068| | 7| 14| 59| 27| 73| ?| 98065| | 8| 10| 57| 32| 68| ?| 98063| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 11| 89| 11| ?| 132323| | 2| 8| 46| 46| 54| ?| 132326| | 3| 8| 49| 43| 57| ?| 132337| | 4| 7| 48| 45| 55| ?| 132338| | 5| 0| 11| 89| 11| ?| 132340| | 6| 6| 51| 44| 56| ?| 132343| | 7| 7| 42| 51| 49| ?| 132344| | 8| 5| 50| 45| 55| ?| 132344| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 11| 89| 11| ?| 132323| | 2| 8| 46| 46| 54| ?| 132326| | 3| 8| 49| 43| 57| ?| 132337| | 4| 7| 48| 45| 55| ?| 132338| | 5| 0| 11| 89| 11| ?| 132340| | 6| 6| 51| 44| 56| ?| 132343| | 7| 7| 42| 51| 49| ?| 132344| | 8| 5| 50| 45| 55| ?| 132344| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 12| 88| 12| ?| 130407| | 2| 5| 47| 49| 51| ?| 130405| | 3| 6| 49| 46| 54| ?| 65197| | 4| 8| 42| 51| 49| ?| 65196| | 5| 0| 10| 90| 10| ?| 130394| | 6| 5| 45| 50| 50| ?| 130393| | 7| 7| 45| 48| 52| ?| 130392| | 8| 5| 45| 50| 50| ?| 130395| --------------------------------------------------------------------------------- +-----------------------------------------------------------------------------+ | Thanks for using s7pac | +-----------------------------------------------------------------------------+