topic Performance Questions Quantum 9300 - SNMP Fast Accel & UDP: Check Point. in Firewall and Security Management

Performance Questions Quantum 9300 - SNMP Fast Accel & UDP: Check Point.

Henrik_J — Fri, 25 Apr 2025 11:06:37 GMT

Hello all!

We migrated to a 9300 some time ago.

Unfortunately we have seen quite some performance issues compared to our old firewall.

I know RAD & UPPAK has general issues, but RAD has received a workaround (autodebug).
We also switched to KPPAK for (maybe) more performance, but overall much better stability.

We are continously checking CPVIEW for performance issues.

Today we saw that the firewall was overally loaded at 50 % with about 1.3 Gbit of throughput (which is quite extreme if you ask me).

I then noticed that in their ordered application layer, the clean up rule, was defined with source any and destination any.
Changed this to destination Internet, this alleviated a lot of load on the FW, and from my understanding, is also best practice.
Did this since I saw a lot of application control was applied to internal traffic, maybe needlessly.

So atm the firewall is loaded 28-50 % depending on spikes & load.

I do have two questions.

We have a few SNMP Servers that send out MASSIVE quantities of SNMP queries, which we can see under CPVIEW -> CPU -> Top Connections.

They can reach as high as 10% + performance hit when they start.
I have tried adding these sessions to fw ctl fast_accel, but I don't seem to get a match at all.
Maybe I need to reset the connections or fail-over to the other FW?
I suspect that it keeps all the SNMP sessions as active, which it then applies the "old" way of doing it, with the Appl Control & URLF and without fast_accel.

Any input here?

Also, when checking CPVIEW -> CPU -> Top Connections, I can see UDP: Check Point being at 3 - 8 % Total CPU Consumption consistently.
Checking another firewall, it's barely at 0,01 % (barely shows up in top connections).
What can be done about this? Is this normal / expected?

I do believe 8 % of the total firewall performance going to UDP: Check Point sounds excessive though.

Re: Performance Questions Quantum 9300 - SNMP Fast Accel & UDP: Check Point.

Chris_Atkinson — Fri, 25 Apr 2025 12:27:21 GMT

What appliance model was used before and which snmp object is referenced in the policy out of interest?

Please also share the version/JHF info for our context.

Re: Performance Questions Quantum 9300 - SNMP Fast Accel & UDP: Check Point.

Henrik_J — Fri, 25 Apr 2025 11:37:35 GMT

They had a 23500 before.
I know it's a huge difference in CPU Core count, but the 23500 was barely used (10-15 % ish max).
I assume they got it super discounted.

The datasheets besides the Core Count is very similar except the Threat Prevention where it's 11 -> 9 Gbps.
The 9300 is stronger in everything else if you are to believe in datasheet though.

But we basically went from 10-15 % consumption to 50 %+, so something doesn't add up here at all.
I know you cannot compare datasheet & datasheet "normally", especially if it's between vendors.
But here it's the same vendor.

They are using the built-in service which has the Protocol handler defined.
Namely snmp-read.

Maybe we could change that to a replacement service udp_161 ?