topic Re: Alert when utilization is high in General Topics

Alert when utilization is high

handiansudianto — Fri, 26 May 2023 08:31:11 GMT

Hello,

can we get notification if there any user who consume bandwidth more than 75% for example?

Re: Alert when utilization is high

the_rock — Fri, 26 May 2023 20:00:17 GMT

I believe its possible with Smart Event, I can check Monday in my lab.

Andy

Re: Alert when utilization is high

the_rock — Sat, 27 May 2023 16:02:47 GMT

I checked in my R81.20 lab where I have dedicated SE server and could not find something similar. I also verified in SV monitor (you need that blade enabled for full functionality), but cant seem to find much better there either. Maybe Im just looking at the wrong places...

Anyway, tagged @Amir_Senn , Im positive he will know, as he helped me with similar queries in the past.

Have a nice weekend!

Andy

Re: Alert when utilization is high

Amir_Senn — Sun, 28 May 2023 09:59:19 GMT

AFAIK, there's no way to alert this.

We can check amount of data but this could be misleading because it also depends on session time.

You can limit traffic bandwidth in the rulebase itself if it helps, or analyze the data you already have with SmartView.

Re: Alert when utilization is high

the_rock — Sun, 28 May 2023 12:22:36 GMT

Thanks for confirming @Amir_Senn 👍

Re: Alert when utilization is high

handiansudianto — Mon, 29 May 2023 00:56:46 GMT

Hello @the_rock @Amir_Senn

Thanks you, if this not possible from checkpoint side i will try search if there any 3rd party application which can do this.

Re: Alert when utilization is high

Timothy_Hall — Mon, 29 May 2023 13:45:38 GMT

One roundabout way you could get this information is via the fw ctl multik print_heavy_conn command which reads the kernel table heavy_conn_table containing all current elephant flows, and also those detected for the last 24 hours. There does not seem to be any way to immediately alert when a heavy connection is detected nor is there any logfile of such that you could follow with tail -f. If you have at least R81.10 or the latest Jumbo HFA for R81/R80.40, another mechanism you can use to show current top connections (not necessarily declared elephants) is the top_conns command described here: sk172229: Top Connections Tool

So perhaps you could write a script that occasionally runs one of the above commands on your gateway searching for any displayed entries emanating from the subnets/VLANs where your user population is located. This could be done once an hour for top_conns (which is realtime only) or once a day for fw ctl multik print_heavy_conn. This solution wouldn't notify you in real time if some user was starting to hog bandwidth and is certainly not perfect, but if they are doing it constantly you will eventually catch them. Both of these great commands are covered and utilized for lab exercises in my Gateway Performance Optimization class.