This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Leon_Hung
Employee Alumnus
Employee Alumnus
‎2017-02-13 01:12 AM
Jump to solution

API performance optimization

When creating new objects, it costs over 10 mins to create around 200 objects.

Is there anyway to improve API performance when creating objects and ploices?

Cheers.

Labels
1 Solution

Accepted Solutions
Jim_Oqvist
Employee
Employee
‎2017-02-17 12:31 AM
Jump to solution

The basic flow of the API is the following

When executing a single command, for example "add host" using the mgmt_cli without calling the login command first. The mgmt_cli executable will in the background preform the following steps. [login] -> [add host using session ID from login] -> [publish] -> [logout].

To control this behavior you can call the login command first, retrieve the session ID, reuse the session ID in all your changes, for example add multiple host objects, publish all your changes at once by reusing the session ID and logout.

If you execute the command mgmt_cli add host with the batch flag [-b] the executable will for example create all 200 hosts in one session and then publish all the changes at the end.

For example by using the batch flag in the executable it took me ~2 minutes with one publish using one command to add 200 hosts on my test machine a R80 management server running in VMware workstation on a Laptop

After publish the hosts are available for the other administrators

View solution in original post

10 Replies
Eugene_Grybinny
Employee Alumnus
Employee Alumnus
‎2017-02-14 12:16 AM
Jump to solution

Hi Leon,

We will contact you soon to get the details.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2017-02-14 12:02 PM
Jump to solution

I noticed this when bulk-creating objects at a customer site with the R80 mgmt CLI.  Our workaround was to ensure everyone was out of the SmartConsole before starting the bulk object creation from the management CLI.  It ran much faster that way.  I think it has something to do with the fact that a publish occurs after every single object is created, and when multiple administrators are in the SmartConsole it seems to have to stop and wait for the publish to reach all SmartConsoles before moving on to the next object.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization
0 Kudos
Jim_Oqvist
Employee
Employee
‎2017-02-17 12:31 AM
Jump to solution

The basic flow of the API is the following

When executing a single command, for example "add host" using the mgmt_cli without calling the login command first. The mgmt_cli executable will in the background preform the following steps. [login] -> [add host using session ID from login] -> [publish] -> [logout].

To control this behavior you can call the login command first, retrieve the session ID, reuse the session ID in all your changes, for example add multiple host objects, publish all your changes at once by reusing the session ID and logout.

If you execute the command mgmt_cli add host with the batch flag [-b] the executable will for example create all 200 hosts in one session and then publish all the changes at the end.

For example by using the batch flag in the executable it took me ~2 minutes with one publish using one command to add 200 hosts on my test machine a R80 management server running in VMware workstation on a Laptop

After publish the hosts are available for the other administrators

Timothy_Hall
MVP Gold
MVP Gold
‎2017-02-19 06:10 AM
In response to Jim_Oqvist
Jump to solution

I figured there had to be some way to submit a series of transactions from the Management CLI and then publish them all at once (similar to a start...commit in clish) but couldn't figure out how to do it.  Thanks for the clarification.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization
0 Kudos
Leon_Hung
Employee Alumnus
Employee Alumnus
‎2017-02-19 06:22 PM
Jump to solution

Thanks for the clarification.

However, we need to meet the requirement for bulk-installing 5000 objects, within certain time frame.

The result for our lab is 200 objects in 2 minutes.

Do we have recommended number for 5000 objects?

0 Kudos
Leon_Hung
Employee Alumnus
Employee Alumnus
‎2017-02-19 07:31 PM
Jump to solution

More explanations for my question.

In this project, our competitor can install 5000 objects with 2 minutes through API, because they just rewrite the configuration file.

Do we have similar way to improve API performance?

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-01-09 10:40 AM
In response to Leon_Hung
Jump to solution

Can your competitor verify that the added objects do not break the policy? Rule Hide Rule? No duplicate IP's? No broken UID references? Generally Check Point chooses reliability over speed. Validating the security configuration is the cause for the time. And we want to assume that adding 5000 new objects is not an every-day case - if it is, perhaps Dynamic Objects might be more suitable.

Let me know your thoughts on this.

Raj_Khatri
Advisor
‎2018-01-11 06:42 AM
Jump to solution

You may want to follow sk119553 to increase the amount of memory for API depending on your hardware.  By default it is 32-bit with 256MB.  We recently modified to 64-bit with 4GB and performance has improved greatly.

Previously it was very slow for us well at processing.

Robert_Decker
Advisor
‎2018-01-11 06:53 AM
In response to Raj_Khatri
Jump to solution

Right. The default memory configuration is not enough for big databases.

And for 32-bit env. you may increase to 1GB (max. up to 2GB).

0 Kudos
Antonio_Costa
Participant
‎2018-12-12 01:04 PM
Jump to solution

Hi,

  Can I restrict a user to NOT be able to use detail-level "full" ?

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events