topic Re: looking for detailed information to cpview in Firewall and Security Management

looking for detailed information to cpview

Steffen_Matouse — Thu, 25 Apr 2024 09:44:49 GMT

sometimes the my FW has high CPU usage and it seams caused by special traffic.

If I load the CPViewCB in DB Viewer of Diagostic View I see in the timeframe high Host Streaming_Overall_Connection

Have someone a short explanation what Host Streaming mean in this case ?

Re: looking for detailed information to cpview

PhoneBoy — Thu, 25 Apr 2024 14:17:26 GMT

Any idea what traffic is being matched?
I suspect it's something that makes heavy use of Medium and/or Slow path.

Re: looking for detailed information to cpview

Steffen_Matouse — Fri, 26 Apr 2024 13:47:10 GMT

currenly not. Is host streaming an indicator for special traffic or for special path in FW ?

Re: looking for detailed information to cpview

Timothy_Hall — Fri, 26 Apr 2024 14:47:09 GMT

That is probably Medium Path streaming in passive and active mode. It is not unusual for most CPU to be consumed here on a modern gateway with the typical blades enabled. Please provide the outputs of the enabled_blades and fwaccel stats -s for further analysis. If you have a cluster, make sure these commands are run on the active member.

Re: looking for detailed information to cpview

Steffen_Matouse — Mon, 29 Apr 2024 12:19:22 GMT

enabled blades

fw vpn urlf av appi ips identityServer anti_bot ThreatEmulation qos mon Scrub

fwaccel stats -s
----------------------
Accelerated conns/Total conns : 0/2211 (0%)
LightSpeed conns/Total conns : 0/2211 (0%)
Accelerated pkts/Total pkts : 84797454270/95272799005 (89%)
LightSpeed pkts/Total pkts : 0/95272799005 (0%)
F2Fed pkts/Total pkts : 10475344735/95272799005 (10%)
F2V pkts/Total pkts : 18299159379/95272799005 (19%)
CPASXL pkts/Total pkts : 375428925/95272799005 (0%)
PSLXL pkts/Total pkts : 80604241319/95272799005 (84%)
CPAS pipeline pkts/Total pkts : 0/95272799005 (0%)
PSL pipeline pkts/Total pkts : 0/95272799005 (0%)
CPAS inline pkts/Total pkts : 0/95272799005 (0%)
PSL inline pkts/Total pkts : 0/95272799005 (0%)
QOS inbound pkts/Total pkts : 22484053775/95272799005 (23%)
QOS outbound pkts/Total pkts : 26954068758/95272799005 (28%)
Corrected pkts/Total pkts : 0/95272799005 (0%)

Re: looking for detailed information to cpview

Timothy_Hall — Mon, 29 Apr 2024 13:21:02 GMT

First off you have no SecureXL templating happening (Accelerated conns), which means higher CPU overhead for a fresh rulebase lookup every time for new connections. Most likely cause is having any blade other than Firewall enabled in your top/parent layer of your policy (sk180633: Security Gateway accelerates 99% of traffic through the PSLXL) and/or specifying applications/content in that top/first layer, or use of services with Protocol Signature set. Please provide outputs of fwaccel stat and fwaccel templates -R.

Looks like you are utilizing the QoS blade as well which will increase overhead (but not nearly as badly as in R80.10 and earlier), keep in mind if all you want to do is shared rule-based bandwidth limits, this can be accomplished directly in the Action field of your APCL/URLF without needing the QoS blade. The QoS blade will be needed if you want to do per-connection limits, shared or per-connection guarantees, Weighted Fair Queueing, LLQ, ToS/DiffServ preferences etc.

Other than that you just have a lot of features enabled and a busy firewall. One other thing that can spike the CPU is elephant flows, try running fw ctl multik print_heavy_conn to see all elephant flows in the last 24 hours. The Spike Detective (sk166454: CPU Spike Detective) can also be helpful for tracking down excessive CPU usage.