+-----------------------------------------------------------------------------+ | Super Seven Performance Assessment Commands v0.5 (Thanks to Timothy Hall) | +-----------------------------------------------------------------------------+ | Inspecting your environment: OK | | This is a firewall....(continuing) | | | | Referred pagenumbers are to be found in the following book: | | Max Power: Check Point Firewall Performance Optimization - Second Edition | | | | Available at http://www.maxpowerfirewalls.com/ | | | +-----------------------------------------------------------------------------+ | Command #1: fwaccel stat | | | | Check for : Accelerator Status must be enabled (R77.xx/R80.10 versions) | | Status must be enabled (R80.20 and higher) | | Accept Templates must be enabled | | Message "disabled" from (low rule number) = bad | | | | Chapter 9: SecureXL throughput acceleration | | Page 278 | +-----------------------------------------------------------------------------+ | Output: | +---------------------------------------------------------------------------------+ |Id|Name |Status |Interfaces |Features | +---------------------------------------------------------------------------------+ |0 |KPPAK |enabled |eth1,eth2,eth3,eth4,Sync,|Acceleration,Cryptography | | | | |Mgmt | | | | | | |Crypto: Tunnel,UDPEncap,MD5, | | | | | |SHA1,3DES,DES,AES-128,AES-256,| | | | | |ESP,LinkSelection,DynamicVPN, | | | | | |NatTraversal,AES-XCBC,SHA256, | | | | | |SHA384,SHA512 | +---------------------------------------------------------------------------------+ Accept Templates : enabled Drop Templates : disabled NAT Templates : enabled LightSpeed Accel : disabled +-----------------------------------------------------------------------------+ | Command #2: fwaccel stats -s | | | | Check for : Accelerated conns/Totals conns: >25% good, >50% great | | Accelerated pkts/Total pkts : >50% great | | PXL pkts/Total pkts : >50% OK | | F2Fed pkts/Total pkts : <30% good, <10% great | | | | Chapter 9: SecureXL throughput acceleration | | Page 287, Packet/Throughput Acceleration: The Three Kernel Paths | +-----------------------------------------------------------------------------+ | Output: | Accelerated conns/Total conns : 46/46 (100%) LightSpeed conns/Total conns : 0/46 (0%) Accelerated pkts/Total pkts : 60094580/60293149 (99%) LightSpeed pkts/Total pkts : 0/60293149 (0%) F2Fed pkts/Total pkts : 198569/60293149 (0%) F2V pkts/Total pkts : 246159/60293149 (0%) CPASXL pkts/Total pkts : 0/60293149 (0%) PSLXL pkts/Total pkts : 0/60293149 (0%) CPAS pipeline pkts/Total pkts : 0/60293149 (0%) PSL pipeline pkts/Total pkts : 0/60293149 (0%) CPAS inline pkts/Total pkts : 0/60293149 (0%) PSL inline pkts/Total pkts : 0/60293149 (0%) QOS inbound pkts/Total pkts : 0/60293149 (0%) QOS outbound pkts/Total pkts : 0/60293149 (0%) Corrected pkts/Total pkts : 0/60293149 (0%) +-----------------------------------------------------------------------------+ | Command #3: grep -c ^processor /proc/cpuinfo && /sbin/cpuinfo | | | | Check for : If number of cores is roughly double what you are excpecting, | | hyperthreading may be enabled | | | | Chapter 7: CoreXL Tuning | | Page 239 | +-----------------------------------------------------------------------------+ | Output: | 4 HyperThreading=disabled +-----------------------------------------------------------------------------+ | Command #4: fw ctl affinity -l -r | | | | Check for : SND/IRQ/Dispatcher Cores, # of CPU's allocated to interface(s) | | Firewall Workers/INSPECT Cores, # of CPU's allocated to fw_x | | R77.30: Support processes executed on ALL CPU's | | R80.xx: Support processes only executed on Firewall Worker Cores| | | | Chapter 7: CoreXL Tuning | | Page 221 | +-----------------------------------------------------------------------------+ | Output: | CPU 0: eth1 eth2 eth3 eth4 Sync Mgmt CPU 1: fw_2 (active) cprid lpd mpdaemon fwd in.asessiond core_uploader vpnd iked cprid cpd CPU 2: fw_1 (active) cprid lpd mpdaemon fwd in.asessiond core_uploader vpnd iked cprid cpd CPU 3: fw_0 (active) cprid lpd mpdaemon fwd in.asessiond core_uploader vpnd iked cprid cpd All: +-----------------------------------------------------------------------------+ | Command #5: netstat -ni | | | | Check for : RX/TX errors | | RX-DRP % should be <0.1% calculated by (RX-DRP/RX-OK)*100 | | TX-ERR might indicate Fast Ethernet/100Mbps Duplex Mismatch | | | | Chapter 2: Layers 1&2 Performance Optimization | | Page 28-35 | | | | Chapter 7: CoreXL Tuning | | Page 204 | | Page 206 (Network Buffering Misses) | +-----------------------------------------------------------------------------+ | Output: | Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg Mgmt 1500 0 0 0 0 0 0 0 0 0 BMU Sync 1500 0 0 0 0 0 0 0 0 0 BMU eth1 1500 0 36802382 0 0 0 23673892 0 0 0 BMRU eth2 1500 0 297 0 0 0 859 0 0 0 BMRU eth3 1500 0 146506 0 0 0 103559 0 0 0 BMRU eth4 1500 0 23419462 0 0 0 36541523 0 0 0 BMRU eth4.10 1500 0 2748074 0 0 0 5788846 0 6 0 BMRU eth4.11 1500 0 3039023 0 0 0 3756330 0 7 0 BMRU eth4.12 1500 0 2977760 0 0 0 3853499 0 0 0 BMRU eth4.13 1500 0 3026744 0 0 0 3840209 0 8 0 BMRU eth4.14 1500 0 9808 0 0 0 7315 0 0 0 BMRU eth4.15 1500 0 2826221 0 0 0 5794201 0 7 0 BMRU eth4.16 1500 0 2906466 0 0 0 3785034 0 4 0 BMRU eth4.17 1500 0 2547287 0 0 0 5781696 0 5 0 BMRU eth4.18 1500 0 3319579 0 0 0 3773532 0 4 0 BMRU eth4.19 1500 0 22569 0 0 0 165996 0 0 0 BMRU lo 65536 0 291474 0 0 0 291474 0 0 0 ALMdRU interface eth1: There were no RX drops in the past 0.5 seconds interface eth1 rx_missed_errors : 0 interface eth1 rx_fifo_errors : 0 interface eth1 rx_no_buffer_count: 0 interface eth2: There were no RX drops in the past 0.5 seconds interface eth2 rx_missed_errors : 0 interface eth2 rx_fifo_errors : 0 interface eth2 rx_no_buffer_count: 0 interface eth3: There were no RX drops in the past 0.5 seconds interface eth3 rx_missed_errors : 0 interface eth3 rx_fifo_errors : 0 interface eth3 rx_no_buffer_count: 0 interface eth4: There were no RX drops in the past 0.5 seconds interface eth4 rx_missed_errors : 0 interface eth4 rx_fifo_errors : 0 interface eth4 rx_no_buffer_count: 0 no stats available no stats available no stats available interface eth4.10: There were no RX drops in the past 0.5 seconds interface eth4.10 rx_missed_errors : interface eth4.10 rx_fifo_errors : interface eth4.10 rx_no_buffer_count: no stats available no stats available no stats available interface eth4.11: There were no RX drops in the past 0.5 seconds interface eth4.11 rx_missed_errors : interface eth4.11 rx_fifo_errors : interface eth4.11 rx_no_buffer_count: no stats available no stats available no stats available interface eth4.12: There were no RX drops in the past 0.5 seconds interface eth4.12 rx_missed_errors : interface eth4.12 rx_fifo_errors : interface eth4.12 rx_no_buffer_count: no stats available no stats available no stats available interface eth4.13: There were no RX drops in the past 0.5 seconds interface eth4.13 rx_missed_errors : interface eth4.13 rx_fifo_errors : interface eth4.13 rx_no_buffer_count: no stats available no stats available no stats available interface eth4.14: There were no RX drops in the past 0.5 seconds interface eth4.14 rx_missed_errors : interface eth4.14 rx_fifo_errors : interface eth4.14 rx_no_buffer_count: no stats available no stats available no stats available interface eth4.15: There were no RX drops in the past 0.5 seconds interface eth4.15 rx_missed_errors : interface eth4.15 rx_fifo_errors : interface eth4.15 rx_no_buffer_count: no stats available no stats available no stats available interface eth4.16: There were no RX drops in the past 0.5 seconds interface eth4.16 rx_missed_errors : interface eth4.16 rx_fifo_errors : interface eth4.16 rx_no_buffer_count: no stats available no stats available no stats available interface eth4.17: There were no RX drops in the past 0.5 seconds interface eth4.17 rx_missed_errors : interface eth4.17 rx_fifo_errors : interface eth4.17 rx_no_buffer_count: no stats available no stats available no stats available interface eth4.18: There were no RX drops in the past 0.5 seconds interface eth4.18 rx_missed_errors : interface eth4.18 rx_fifo_errors : interface eth4.18 rx_no_buffer_count: no stats available no stats available no stats available interface eth4.19: There were no RX drops in the past 0.5 seconds interface eth4.19 rx_missed_errors : interface eth4.19 rx_fifo_errors : interface eth4.19 rx_no_buffer_count: +-----------------------------------------------------------------------------+ | Command #6: fw ctl multik stat | | | | Check for : Large # of conns on Worker 0 - IPSec VPN/VoIP? | | Large imbalance of connections on a single or multiple Workers | | | | Chapter 7: CoreXL Tuning | | Page 241 | | | | Chapter 8: CoreXL VPN Optimization | | Page 256 | +-----------------------------------------------------------------------------+ | Output: | ID | Active | CPU | Connections | Peak ---------------------------------------------- 0 | Yes | 3 | 24 | 66 1 | Yes | 2 | 26 | 83 2 | Yes | 1 | 23 | 92 +-----------------------------------------------------------------------------+ | Command #7: cpstat os -f multi_cpu -o 1 -c 5 | | | | Check for : High SND/IRQ Core Utilization | | High Firewall Worker Core Utilization | | | | Chapter 6: CoreXL & Multi-Queue | | Page 173 | +-----------------------------------------------------------------------------+ | Output: | Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 0| 100| 0| ?| 6199| | 2| 4| 6| 90| 10| ?| 6199| | 3| 4| 5| 91| 9| ?| 6199| | 4| 3| 6| 90| 10| ?| 6199| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 0| 100| 0| ?| 6199| | 2| 4| 6| 90| 10| ?| 6199| | 3| 4| 5| 91| 9| ?| 6199| | 4| 3| 6| 90| 10| ?| 6199| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 0| 100| 0| ?| 10241| | 2| 0| 1| 99| 1| ?| 10244| | 3| 1| 1| 99| 1| ?| 10244| | 4| 0| 0| 100| 0| ?| 10244| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 0| 100| 0| ?| 10241| | 2| 0| 1| 99| 1| ?| 10244| | 3| 1| 1| 99| 1| ?| 10244| | 4| 0| 0| 100| 0| ?| 10244| --------------------------------------------------------------------------------- Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 1| 100| 0| ?| 6528| | 2| 1| 0| 99| 1| ?| 13056| | 3| 1| 0| 99| 1| ?| 13056| | 4| 0| 1| 100| 0| ?| 6528| --------------------------------------------------------------------------------- +-----------------------------------------------------------------------------+ | Thanks for using s7pac | +-----------------------------------------------------------------------------+