Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Finding Bandwidth consuming for particular Host

Jump to solution

Dear All,

 

Just wanted to check if any workaround to check the Bandwidth consumed/consuming for particular host machine.

Customer's Internet Bandwidth was choked due to "few hosts to some destination IP" consuming high.

From SmartMonitor we can see only Source or Destination which is consuming.

But we need to check for the "Which Source against Which Destination" more bandwidth consumed/consuming.

 

Just like in Cisco command: --ip flow top-talkers

CISCO-ASA#sh ip flow top-talkers

SrcIf     SrcIPaddress         DstIf        DstIPaddress         Pr       SrcP      DstP         Bytes
Gi0/1    172.215.114.126    Gi0/0      202.100.109.236     06       0050      BBEB         19M
Gi0/1    123.175.213.143    Gi0/0      202.100.109.236     06       0050      3891           16M

In above we could see 2 Sources against 2 Destinations with "Bytes" consumed.

By any chance can we see something like this in CheckPoint??

 

Regards, Prabulingam.N

0 Kudos
1 Solution

Accepted Solutions
Highlighted

Hi @Prabulingam_N1 

In computer networking, an elephant flow (heavy connection) is an extremely large in total bytes continuous flow set up by a TCP or other protocol flow measured over a network link. Elephant flows, though not numerous, can occupy a disproportionate share of the total bandwidth over a period of time.  When the observations were made that a small number of flows carry the majority of Internet traffic and the remainder consists of a large number of flows that carry very little Internet traffic (mice flows).

All packets associated with that elephant flow must be handled by the same firewall worker core (CoreXL instance). Packets could be dropped by Firewall when CPU cores, on which Firewall runs, are fully utilized. Such packet loss might occur regardless of the connection's type. 

What typically produces heavy connections:

  • System backups
  • Database backups
  • VMWare sync.

Evaluation of heavy connections (epehant flows)

A first indication is a high CPU load on a core if all other cores have a normal CPU load. This can be displayed very nicely with "top". Ok, now a core has 100% CPU usage. What can we do now? For this there is a SK105762 to activate "Firewall Priority Queues".  This feature allows the administrator to monitor the heavy connections that consume the most CPU resources without interrupting the normal operation of the Firewall. After enabling this feature, the relevant information is available in CPView Utility. The system saves heavy connection data for the last 24 hours and CPDiag has a matching collector which uploads this data for diagnosis purposes.

Heavy connection flow system definition on Check Point gateways:

  • Specific instance CPU is over 60%
  • Suspected connection lasts more than 10s
  • Suspected connection utilizes more than 50% of the total work the instance does. In other words, connection CPU utilization must be > 30%  

Enable the monitoring of heavy connections.

To enable the monitoring of heavy connections that consume high CPU resources:

# fw ctl multik prioq 1

# reboot

Found heavy connection on the gateway with „print_heavy connections“

On the system itself, heavy connection data is accessible using the command: 

# fw ctl multik print_heavy_conn

pq5.jpg

ound heavy connection on the gateway with cpview

# cpview                CPU > Top-Connection > InstancesX

pq3.png

More read here:

R80.x - Performance Tuning Tip - Elephant Flows (Heavy Connections)

View solution in original post

Tags (1)
12 Replies
Highlighted
Advisor

Use CPView on the Gateway

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Can pull details such as Top Connections which will show by Bandwidth the largest connections.

 

 

 

Highlighted

Dear mdjmcnally,

But Top Connections are not always proportional to the Bandwidth.

Hence with CPView will be tough to get required info.

I hope any of CheckMates who faced this query from customer can give suggestions.

 

Regards, Prabulingam.N

0 Kudos
Highlighted

Hello,

I would highly recommend Craig Dods' Top Talkers script that can be found here:

http://expert-mode.blogspot.com/2013/05/checkpoint-top-talkers-script-display.html

It should achieve what you are looking for but do let us know if that is not the case.

I hope this helps.

Highlighted

Hello Nick.

 

Thanks for this script. Let me try and find if any we can see regarding the Bandwidth.

 

Regards, Prabulingam.N

0 Kudos
Highlighted

Hi @Prabulingam_N1 

In computer networking, an elephant flow (heavy connection) is an extremely large in total bytes continuous flow set up by a TCP or other protocol flow measured over a network link. Elephant flows, though not numerous, can occupy a disproportionate share of the total bandwidth over a period of time.  When the observations were made that a small number of flows carry the majority of Internet traffic and the remainder consists of a large number of flows that carry very little Internet traffic (mice flows).

All packets associated with that elephant flow must be handled by the same firewall worker core (CoreXL instance). Packets could be dropped by Firewall when CPU cores, on which Firewall runs, are fully utilized. Such packet loss might occur regardless of the connection's type. 

What typically produces heavy connections:

  • System backups
  • Database backups
  • VMWare sync.

Evaluation of heavy connections (epehant flows)

A first indication is a high CPU load on a core if all other cores have a normal CPU load. This can be displayed very nicely with "top". Ok, now a core has 100% CPU usage. What can we do now? For this there is a SK105762 to activate "Firewall Priority Queues".  This feature allows the administrator to monitor the heavy connections that consume the most CPU resources without interrupting the normal operation of the Firewall. After enabling this feature, the relevant information is available in CPView Utility. The system saves heavy connection data for the last 24 hours and CPDiag has a matching collector which uploads this data for diagnosis purposes.

Heavy connection flow system definition on Check Point gateways:

  • Specific instance CPU is over 60%
  • Suspected connection lasts more than 10s
  • Suspected connection utilizes more than 50% of the total work the instance does. In other words, connection CPU utilization must be > 30%  

Enable the monitoring of heavy connections.

To enable the monitoring of heavy connections that consume high CPU resources:

# fw ctl multik prioq 1

# reboot

Found heavy connection on the gateway with „print_heavy connections“

On the system itself, heavy connection data is accessible using the command: 

# fw ctl multik print_heavy_conn

pq5.jpg

ound heavy connection on the gateway with cpview

# cpview                CPU > Top-Connection > InstancesX

pq3.png

More read here:

R80.x - Performance Tuning Tip - Elephant Flows (Heavy Connections)

View solution in original post

Tags (1)
Highlighted
Admin
Admin
We have a presentation at CPX about Elephant Flows in the CheckMates track.
We'll post it after the Vienna event 🙂
Highlighted

Great then , I will await for that..

 

Regards, Prabulingam.N

0 Kudos
Highlighted
Contributor

Is there an SK or something that we could use now instead of waiting for a CPX event?

0 Kudos

Hello Heiko,

 

Thanks much for detailed information and I will try this.

But still this also lists in form of CPU% & Connections only, no info related to "how much Bytes consumed".

 

I will also try Nick's script as well.

 

Regards, Prabulingam.N

0 Kudos
Highlighted
Advisor

Top connections by throughput (Network -> Top-Connections)

This isn't done by CPU consumed but by Throughput.

Don't confuse with 

Top connections by CPU (I/S -> CPU -> Top-Connections)

Which will show by CPU

0 Kudos
Highlighted
Admin
Admin
If you want bytes consumed, once you've figured out what connection it is, you can always go look in SmartView (logs) and see this information.
That assumes it's either matching on an App Control rule or you've explicitly enabled Accounting on that rule.
Highlighted
Contributor

So the "accepted solution" is only per cpu, right? seems like there should be a way to see the top connections/talkers overall, rather than per cpu.