Part 6 - CLI Tools

In this article we will explore the actual commands used to examine the current performance state of a gateway; these commands are safe to run during production.  For each command, details will be provided about the general purpose of the command, along with an example of sample output.  Interpretation of the results for purposes of performance tuning are beyond the scope of the CP4B series.

Command: show version os kernel
Command Mode:  clish
Purpose: Display Gaia kernel version
Sample Output Notes: Results for both kernel 2.6.18 and 3.10 are shown below

     gw> show version os kernel
     OS kernel version 2.6.18-92cpx86_64

     gw> show version os kernel
     OS kernel version 3.10.0-957.21.3cpx86_64

Command:  show bonding groups
Command Mode:  clish
Purpose: Display all bonds and associated physical interfaces
Sample Output Notes: One bond present

gw> show bonding groups

   Bonding Interface: 20

      Bond Configuration
           xmit_hash_policy Not configured
           down-delay 200
           primary Not configured
           mode round-robin
           up-delay 200
           mii-interval 100
           lacp_rate Not configured
           Bond Interfaces
               eth2
               eth3

Command: fwaccel stat
Command Mode: expert
Purpose: Display Display current state of SecureXL (it is enabled by default)
Sample Output Notes: SecureXL currently enabled

     [Expert@gw]# fwaccel stat

     +-----------------------------------------------------------------------+
     |Id|Name     |Status     |Interfaces     |Features                      |
     +-----------------------------------------------------------------------+
     |0 |SND      |enabled    |eth0,eth1      |Acceleration,Cryptography     |
     |  |         |           |               |Crypto: Tunnel,UDPEncap,MD5,  |
     |  |         |           |               |SHA1,NULL,3DES,DES,AES-128,   |
     |  |         |           |               |AES-256,ESP,LinkSelection,    |
     |  |         |           |               |DynamicVPN,NatTraversal,      |
     |  |         |           |               |AES-XCBC,SHA256               |
     +-----------------------------------------------------------------------+

     Accept Templates : enabled
     Drop Templates   : disabled
     NAT Templates    : enabled

Command: enabled_blades
Command Mode: expert
Purpose: Display current enabled blades/features on the gateway, which tends to dictate levels of packet acceleration
Sample Output Notes: This information can also be accessed through the SmartConsole on the General tab of a security gateway/cluster object.

     [Expert@gw]# enabled_blades

     fw vpn urlf av aspm appi ips dlp identityServer anti_bot ThreatEmulation qos mon vpn

Command: fwaccel stats -s
Command Mode: expert
Purpose: Display current SecureXL acceleration statistics
Sample Output Notes: “Accelerated conns/Total conns” line indicates the connection Accept Templating rate; the remaining lines detail processing path percentages in this order: SXL (Accelerated pkts/Total pkts), F2F, F2V, CPASXL, PSLXL, QoS inbound/outbound.

     [Expert@gw]# fwaccel stats -s

     Accelerated conns/Total conns : 1202/33715 (3%)
     Accelerated pkts/Total pkts : 21963285170/50752857993 (43%)
     F2Fed pkts/Total pkts : 7415368470/50752857993 (14%)
     F2V pkts/Total pkts : 777807714/50752857993 (1%)
     CPASXL pkts/Total pkts : 3519180973/50752857993 (6%)
     PSLXL pkts/Total pkts : 17855023380/50752857993 (35%)
     QOS inbound pkts/Total pkts : 0/50752857993 (0%)
     QOS outbound pkts/Total pkts : 0/50752857993 (0%)
     Corrected pkts/Total pkts : 0/50752857993 (0%)

Commands: cat /proc/smt_status  (2.6.18 kernel),  lscpu | grep Thread  (3.10 kernel)
Command Mode: expert
Purpose: Display state of Symmetric MultiThreading (SMT), enabled or disabled
Sample Output Notes: Different command needed depending on Gaia kernel version

     [Expert@gw]# cat /proc/smt_status  (2.6.18 kernel)

     0 = SMT off
     1 = SMT on

     [Expert@gw]# lscpu | grep Thread   (3.10 kernel)

     1 = SMT off
     2+ = SMT on

Command: fw ctl affinity -l -r
Command Mode: expert
Purpose: Display current CoreXL split
Sample Output Notes: SMT is disabled, CoreXL split is the default 2/6.  CPUs/Cores 0-1 are Secure Network Dispatchers (SNDs), CPUs/Cores 2-7 are Firewall Workers (Firewall Instances):

     [Expert@gw]# fw ctl affinity -l -r

     CPU 0:  eth2-01 eth2-02
     CPU 1:  Mgmt eth2-03
     CPU 2:  fw_5
     CPU 3:  fw_4
     CPU 4:  fw_3
     CPU 5:  fw_2
     CPU 6:  fw_1
     CPU 7:  fw_0

Sample Output Notes: SMT is enabled, CoreXL split is the default 2/14.  CPUs/Cores 0 & 8 are Secure Network Dispatchers (SNDs), CPUs/Cores 1-7 & 9-15 are Firewall Workers (Firewall Instances):

     [Expert@gw]# fw ctl affinity -l -r

     CPU 0:  eth2-01 eth2-02
     CPU 1:  fw_13
     CPU 2:  fw_11
     CPU 3:  fw_9
     CPU 4:  fw_7
     CPU 5:  fw_5
     CPU 6:  fw_3
     CPU 7:  fw_1
     CPU 8:  Mgmt eth2-03
     CPU 9:  fw_12
     CPU 10: fw_10
     CPU 11: fw_8
     CPU 12: fw_6
     CPU 13: fw_4
     CPU 14: fw_2
     CPU 15: fw_0

Command: netstat -ni
Command Mode: expert
Purpose: Display Gaia network interface counters including errors
Sample Output Notes: RX-OK and TX-OK counters indicate total count of successfully received and transmitted Ethernet frames, respectively.  Counters circled in red (RX-ERR, RX-OVR, TX-DRP and TX-OVR) should be zero or nearly zero and not actively increasing.  RX-DRP should ideally be less than 0.1%, see screenshot below.

Command: fw ctl multik dynamic_dispatching get_mode
Command Mode: expert
Purpose: Display current state of Dynamic Dispatcher (enabled by default in R80.10+)
Sample Output Notes: State is enabled

     [Expert@gw]# fw ctl multik dynamic_dispatching get_mode

     Current mode is On

Command: fw ctl multik stat
Command Mode: expert
Purpose: Display current and peak number of connections for each firewall worker to verify connections are well-balanced by the Dynamic Dispatcher
Sample Output Notes: Connections are evenly balanced on a system with a 2/6 CoreXL split:

     [Expert@gw]# fw ctl multik stat

     ID | Active | CPU | Connections | Peak
     -------------------------------------------
     0  | Yes    | 7   | 3274        | 29085
     1  | Yes    | 6   | 2656        | 33469
     2  | Yes    | 5   | 2611        | 33813
     3  | Yes    | 4   | 3460        | 31557
     4  | Yes    | 3   | 3360        | 28837
     5  | Yes    | 2   | 2776        | 34874

Command:  cpprod_util FwIsUsermode
Command Mode: expert
Purpose: Display current state of User Space Firewall (USFW), which is enabled by default on most new gateway appliances starting in R80.30; see the following SK for the latest updates: sk167052: Check Point User-Space firewall support for R80.30 3.10 and above
Sample Output Notes: N/A

     [Expert@gw]# cpprod_util FwIsUsermode

     0 = USFW Disabled
     1 = USFW Enabled

Command:  fw ctl fast_accel show_table
Command Mode: expert
Purpose: Display traffic whitelisted for forced acceleration by SecureXL (not enabled by default)
Sample Output Notes: No whitelisted traffic defined

     [Expert@gw]# fw ctl fast_accel show_table

     fw fast_accel: There are no rules in the fast_accel table.

About the author

Performance Optimization Series are written for you by Timothy Hall.