topic Re: Checkpoint 6200 high cpu in Firewall and Security Management

Checkpoint 6200 high cpu

Daljit_s — Wed, 27 Oct 2021 08:25:51 GMT

Hi All,

We have recently replaced the open server with the new CP appliance 6200p. After migration to the new gateways the CPU is high. throughput is also not that much high, Currently IPS, VPN and firewall blades are enabled. I already have all the templates enabled for the acceleration.

As these gateways are having 4 core so is it make sense to move the firewalls from user to kernel mode? Will that improve the cpu performance? According to me user mode is required when the device has more than 36 cores but not sure why the CP is enabling it on all the appliances.

Regards

Daljit Singh

Re: Checkpoint 6200 high cpu

_Val_ — Wed, 27 Oct 2021 08:30:16 GMT

Setting it back to kernel mode will win you only a small percentage of CPU utilization, but it is definitely the first step in the optimization process I would recommend.

Re: Checkpoint 6200 high cpu

Daljit_s — Wed, 27 Oct 2021 12:39:44 GMT

Thanks, i will soon change the mode and will see for any difference.

But do you know why the checkpoint is enabling the user mode by default on the appliances having less cores?

Re: Checkpoint 6200 high cpu

Timothy_Hall — Wed, 27 Oct 2021 12:42:43 GMT

What model was the open server? What kind of CPUs and how many did it have? It can be tricky trying to estimate performance when transitioning from an open server to Check Point appliances. The 6200 has four cores, please provide the output of cat /proc/cpuinfo so we can see what kind of CPUs the 6200 is using.

I don't think switching back to kernel mode will buy you much, I'd suggest providing Super Seven command outputs for analysis first. Also what version and Jumbo HFA level are you using? It is likely that most of your traffic will be fully accelerated, and with the default 1/3 split only one CPU will be forced to handle all the load unless you are running a code version with Dynamic Split in use.

https://community.checkpoint.com/t5/Scripts/S7PAC-Super-Seven-Performance-Assessment-Commands/m-p/40528

Re: Checkpoint 6200 high cpu

Daljit_s — Wed, 27 Oct 2021 14:44:02 GMT

I am using 80.40 with Take 120.

attached s7pac output.

Re: Checkpoint 6200 high cpu

_Val_ — Wed, 27 Oct 2021 14:16:09 GMT

Latest 3.10 based version have USFW enabled because of certain features depending on that, for example TLS 1.3 inspection support. Performance negative effect is negligible. Do not expect much. I would be surprised if it is more than a couple of percents on average.

Re: Checkpoint 6200 high cpu

Timothy_Hall — Wed, 27 Oct 2021 14:44:46 GMT

As Val said some features in later releases will require USFW so switching back to kernel mode will become less and less relevant, even on smaller boxes. Your 6200 has only two physical CPUs with SMT enabled for 4 total cores/threads.

Your 6200 seems to be handling the load fine and there are no tuning adjustments required, plenty of headroom. I suspect the higher CPU load on your 6200 is due to the CPU number and/or type differences between it and your prior open hardware. What was the prior open hardware model and CPU type? If it was some kind of Xeon which is common on Intel-based servers, that Xeon CPU is probably at least twice as fast per-core than the Pentium Gold G5400 in your 6200. As long as a firewall's cores are not normally running north of 75% and topping out at 100% during the busiest periods you should be fine.

Re: Checkpoint 6200 high cpu

Maarten_Sjouw — Thu, 28 Oct 2021 10:48:35 GMT

The HP servers had 16 core on Intel(R) Xeon(R) CPU E5-2665 0 @ 2.40GHz CPU's

The 6200 has 4 cores on Intel(R) Pentium(R) Gold G5400 CPU @ 3.70GHz CPU

So there is quite a difference in total power. Every first couple of days of the month the throughput doubles due to people who need to register during the first couple of days of the month. Currently the average CPU load during the day is is between 50 and 60%

Re: Checkpoint 6200 high cpu

Maarten_Sjouw — Thu, 28 Oct 2021 22:25:33 GMT

@Timothy_Hall Daljit is one of my coworkers and I was able to gather this data quickly and add it here.