topic Re: CPview and VSX - Analyse CPU Load per Instance per connection in Firewall and Security Management

CPview and VSX - Analyse CPU Load per Instance per connection

Vincent_Croes — Wed, 16 Jun 2021 09:40:59 GMT

Checkmates

Why is it that on VSX, we receive less functionality when using CPview? More specific: on regular gateways, we can analyze the CPU load per instance and view the top connection or top service that goes along with it.

Example:

I'm sure that the architecture behind VSX mode is not quite the same as a regular gateway and poses a different set of challenges but this screenshot is from a R80.10 gateway and yet to my knowledge this feature is still not implemented in VSX on R81. Is this not incredible useful?

I have checked with TAC & my local office, I also checked the support center but no-one can give me a proper tool to investigate CPU load in correlation with a specific connection. Also I requested an improvement via a form on the CP website but that seems to end up in someone spam folder.

Re: CPview and VSX - Analyse CPU Load per Instance per connection

Timothy_Hall — Wed, 16 Jun 2021 11:52:13 GMT

The functionality difference stems from the traditional kernel space mode for INSPECT vs. process space mode (fwk processes - called User Space Firewall). VSX has always used fwk processes to implement INSPECT and now the newer mainline gateways (including Quantums) are using USFW by default. Some of the feature differences between VSX/USFW and kernel mode got called out in my CPX 2020 speech, and since then the feature gap has almost been completely closed by R&D. Future development is likely to use USFW everywhere, so now we are starting to see some new features available exclusively in USFW mode but not kernel mode.

As far as the cpview screens you are missing you can get them back with the proper version/Jumbo HFA and by setting kernel variables sim_top_conns_enable=1 & sim_top_proto_enable=1 as mentioned here:

sk167903: CPview Top Connections and Protocols tabs show no data

Those screens are not available at all for VSX R80.10 and earlier due to the older implementation of SecureXL in that version.

Re: CPview and VSX - Analyse CPU Load per Instance per connection

Vincent_Croes — Wed, 16 Jun 2021 12:03:52 GMT

Thanks for that interesting read. However please note that I'm referring to the Top-protocols and Top-connections within the CPU tab not the network tab. We really want to have the column "% out of CPU" as you can see in my initial screenshot.

We are also going to R80.30 for all our VSX clusters.

Re: CPview and VSX - Analyse CPU Load per Instance per connection

Elad_Chomsky — Wed, 16 Jun 2021 12:34:05 GMT

Hi,

You can use CPView today on VSX. But it is per VS, And the amount of statistics is currently very limited. Unfortunately, there is currently no way to monitor the statistics of the whole VSX appliance. There is a tab that’s collecting the information from all VSs and is storing them in one place. the new tab can be seen in the VS0 context only.

Re: CPview and VSX - Analyse CPU Load per Instance per connection

Vincent_Croes — Wed, 16 Jun 2021 13:10:48 GMT

Is there a way to request an improvement of this functionality? Or do you know if something is in the works?

Currently we are stuck troubleshooting high CPU load on FWK instances and we have no clue what is causing it. Involving TAC each issue is very time consuming especially when the problem is not always present.

Re: CPview and VSX - Analyse CPU Load per Instance per connection

Elad_Chomsky — Thu, 17 Jun 2021 07:00:59 GMT

Hi,

I will pass your request to the relevant R&D owners, and they will try to incorporate it into their plans. Meanwhile, regarding your issue, please try to see if one of the following is giving you the info:

‘vsx stat –v’
fw ctl pstat
vsx resctrl stat
vsx mstat

Re: CPview and VSX - Analyse CPU Load per Instance per connection

Vincent_Croes — Thu, 17 Jun 2021 08:01:11 GMT

Thank you, that is appreciated. In regards to the commands, those are known by us and do not give good insight on which flows are triggering more CPU usage. We are quite capable of finding out that something is wrong but drilling down to what exactly and being able to report this to our customer is a different story, hence my feature request.