cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Comparing 15000 series appliances against 6000 series

Hello!Check Point released a new appliance line of 6000 series and here comes the new challenge. For a customer who wants NGTP functionality and in the scenario where based on sizing 15600 is a perfect match for them, should we go for it or it is even better to go with 6800 model? You see NGTP performance of 6800 is far better by datasheet and price is much lower too.Enterprise Testing Conditions:6800 Security Gateway- 8.9 Gbps of Threat Prevention15600 Security Gateway- 7.4 Gbps of Threat Prevention2Both numbers are provided with R80.20 Your opinions?BRVato

Can't boot, no inittab file found, enter runlevel

Hello everyone, I really need help urgently from you. in fact, I recently tried to install OS GAIA R80.20 on my checkpoint 3200 appliance but the installation did not really start. And since when I try to start my appliance I get the message:Found volume group "vg_splat" using metadata type lvm24 logical volume(s) in volume group "vg_splat" now activeINIT: No inittab file foundINIT: Entering runlevel: 3INIT: no more processes left in this runleveln 3 seconds] I have already tried a factory and reset several times still nothing.I really rely on you to help me fix this problem as soon as possible because I have to deploy the appliance this Saturday at a customer. I'm waiting thank you

Management IP address after factory reset

Hi,I'm trying to recall if you do a factory reset on a gateway, does the IP address assigned to the mgt port stay intact or does it get reset to 192.168.1.1? Thanks.

PBR with VPN

Hi MatesCurrently I am having a case like the following:- We have a 5600 Appliance which has 2 external interfaces, one for Inbound traffic with public IP, one for Outbound traffic with private IP.- We PBR for all DMZ server for Inbound interface, and users access to internet through Outbound interface with normal route.- We want to Remote Access by Inbound inteface, but cannot. If i change default route in "normal" routing table from Outbound to Inbound, we can Remote Access VPN normallyI'm sure the problem is due to PBR, but is there any solution for remote access by Inbound interface?Thank you and Best Regards.

Geo-policy in the following scenario

Hi,I actually wanted to know if I can achieve the following using GEO POLICY in R80.20- BLOCK INCOMING from all countries but one- ALLOW OUTGOING to all countries.Is this possible in a simple way, because the non simple way is too time consuming.I would have to set policy for other countries to Drop and then individually add rules for 250 countries as "allow to" Is there any simpler way of achieving this?

PBR and SecureXL issues in R80.20

Hi Guys,Has anyone had any issues with PBR on R80.20 ?I have tried an upgrade from a working R80.10 to R80.20 twice now and found that the PBR is an issue once upgraded to R80.20.This is on JHF 33 and now JHF 73 .One of the troubleshooting steps after seeing sk109741 was to switch off SecureXL - once we did that all worked as it did on R80.10 .<also tried the PBR route lookup option - it made no difference)We have opened a TAC case and have had the environment running succesfully without SecureXL for the entire day - but obviously we want to enable SecureXL ultimately . Just thought I would post in case anyone else is having PBR issues on R80.20 ?(also if you have any ideas on how to fix this - before TAC gets back to me - let me know)

GAIA - Easy execute CLI commands on all gateways simultaneously

Now you can use the new command "gw_mbash" and "g_mclish" to execute bash or clish commands on all gateway simultaneously from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management. Attention! You can quickly destroy your gateways if you enter the wrong commands! Command syntax: Command Description # gw_detect # gw_detect80 Detect all your gateways that support from this tool. This command only needs to be executed once or when gateways changed in topology.All founded gateways are stored as IP address in this file /var/log/g_gateway.txt. All added IP addresses will be used later to execute commands on these gateways. The file can also be edit manually to add gateway IP adressess. The execution of this command may take a few minutes. Use this command on R80.x gateways "gw_detect80" is a little bit faster. Use this command on R77.x gateways "gw_detect". # gw_mbash <command> Execute expert mode command on all gateway simultaneously # gw_mclish <command> Execute clish command on all gateway simultaneously An example! You want see the version of all gateway they are defined in the topology. Management# gw_detect -> start this command fist to detect all your supported gateways or "gw_detect80" on R80.x gatewaysManagement# gw_mclish show version os edition -> execute this command on all gateways Now the command "show version os edition" is executed on all gateways and the output is displayed on the management server sorted according to the ip addresses of the gateways in the firewall topologie. The same also works for the expert mode. For example: Management# gw_detect -> start this command fist to detect all your supported gateways or "gw_detect80" on R80.x gatewaysManagement# gw_mbash fw ver -> execute this command on all gateways Tip 1 Use this command to backup your clish configs from all gateways. Management# gw_mclish show configuration > backup_clish_all_gateways.txt This can also be start as simply cronjob😀. Tip 2 Check central performance settings for all gateways: Management# gw_mbash fw tab -t connections -s -> show state table for all gateways Management# gw_mbash fwaccel stat -> show fwaccel state's for all gatewaysManagement# gw_mbash ips stat -> check on witch gateway ips is enabled ... Cppy and paste this lines to the management server or download the script "new_multi_commands.sh" and execute the script. echo '#!/bin/bash' > /usr/local/bin/gw_mbash echo 'if [ ! -f /var/log/g_gateway.txt ]; then' >> /usr/local/bin/gw_mbash echo 'echo "First start \"gw_detect\" and\or edit the file \var\log\gw_gateway.txt manually. Add here all your gateway IP addresses."' >> /usr/local/bin/gw_mbash echo 'else' >> /usr/local/bin/gw_mbash echo 'HAtest="$@"' >> /usr/local/bin/gw_mbash echo 'echo $HAtest > /var/log/g_command.txt;' >> /usr/local/bin/gw_mbash echo 'while read line' >> /usr/local/bin/gw_mbash echo 'do' >> /usr/local/bin/gw_mbash echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_mbash echo 'then' >> /usr/local/bin/gw_mbash echo 'echo "--------- GAIA $line execute command: $HAtest"' >> /usr/local/bin/gw_mbash echo '$CPDIR/bin/cprid_util -server $line putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;' >> /usr/local/bin/gw_mbash echo '$CPDIR/bin/cprid_util -server $line -verbose rexec -rcmd /bin/bash -f /var/log/g_command.txt' >> /usr/local/bin/gw_mbash echo 'else' >> /usr/local/bin/gw_mbash echo 'echo "--------- STOP $line Error: no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_mbash echo 'fi' >> /usr/local/bin/gw_mbash echo 'done < /var/log/g_gateway.txt' >> /usr/local/bin/gw_mbash echo 'fi' >> /usr/local/bin/gw_mbash chmod +x /usr/local/bin/gw_mbash echo '#!/bin/bash' > /usr/local/bin/gw_mclish echo 'if [ ! -f /var/log/g_gateway.txt ]; then' >> /usr/local/bin/gw_mclish echo 'echo "First start \"gw_detect\" and\or edit the file \var\log\gw_gateway.txt manually. Add here all your gateway IP addresses."' >> /usr/local/bin/gw_mclish echo 'else' >> /usr/local/bin/gw_mclish echo 'HAtest="$@"' >> /usr/local/bin/gw_mclish echo 'echo $HAtest > /var/log/g_command.txt;' >> /usr/local/bin/gw_mclish echo 'while read line' >> /usr/local/bin/gw_mclish echo 'do' >> /usr/local/bin/gw_mclish echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_mclish echo 'then' >> /usr/local/bin/gw_mclish echo 'echo "--------- GAIA $line execute command: $HAtest"' >> /usr/local/bin/gw_mclish echo '$CPDIR/bin/cprid_util -server $line putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;' >> /usr/local/bin/gw_mclish echo '$CPDIR/bin/cprid_util -server $line -verbose rexec -rcmd /bin/clish -f /var/log/g_command.txt' >> /usr/local/bin/gw_mclish echo 'else' >> /usr/local/bin/gw_mclish echo 'echo "--------- STOP $line Error: no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_mclish echo 'fi' >> /usr/local/bin/gw_mclish echo 'done < /var/log/g_gateway.txt' >> /usr/local/bin/gw_mclish echo 'fi' >> /usr/local/bin/gw_mclish chmod +x /usr/local/bin/gw_mclish echo '#!/bin/bash' > /usr/local/bin/gw_detect echo 'echo -n > /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect echo "more $FWDIR/conf/objects.C |grep -A 500 -B 1 ':type (gateway)'| sed -n '/gateway/,/:ipaddr (/p' | grep 'ipaddr (' | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gwl.txt" >> /usr/local/bin/gw_detect echo 'while read line' >> /usr/local/bin/gw_detect echo 'do' >> /usr/local/bin/gw_detect echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_detect echo 'then' >> /usr/local/bin/gw_detect echo 'echo "--------- GAIA $line "' >> /usr/local/bin/gw_detect echo 'echo "$line" >> /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect echo 'else' >> /usr/local/bin/gw_detect echo 'echo "--------- STOP no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_detect echo 'fi' >> /usr/local/bin/gw_detect echo 'done < /var/log/g_gwl.txt' >> /usr/local/bin/gw_detect chmod +x /usr/local/bin/gw_detect echo '#!/bin/bash' > /usr/local/bin/gw_detect80 echo 'echo -n > /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect80 echo "mgmt_cli -r true show gateways-and-servers details-level full --format json | $CPDIR/jq/jq -r '.objects[] | select(.type | contains(\"Member\",\"simple-gateway\")) | .\"ipv4-address\"' |grep -v null|grep -v 0.0. > /var/log/g_gwl.txt" >> /usr/local/bin/gw_detect80 echo 'while read line' >> /usr/local/bin/gw_detect80 echo 'do' >> /usr/local/bin/gw_detect80 echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_detect80 echo 'then' >> /usr/local/bin/gw_detect80 echo 'echo "--------- GAIA $line "' >> /usr/local/bin/gw_detect80 echo 'echo "$line" >> /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect80 echo 'else' >> /usr/local/bin/gw_detect80 echo 'echo "--------- STOP no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_detect80 echo 'fi' >> /usr/local/bin/gw_detect80 echo 'done < /var/log/g_gwl.txt' >> /usr/local/bin/gw_detect80 chmod +x /usr/local/bin/gw_detect80 Versions:v0.1 - 04-14-2019 - gw_multi_commands_v0.1.sh -> betav0.2 - 04-16-2019 - gw_multi_commands_v0.2.sh -> remove bugsv0.3 - 04-17-2019 - gw_multi_commands_v0.3.sh -> split to two commands (gw_detect and the old commands)v0.4 - 05-05-2019 - gw_multi_commands_v0.4.sh -> add command "gw_detect80" Video tutorial: LITHIUM.OoyalaPlayer.addVideo('https:\/\/player.ooyala.com\/static\/v4\/production\/', 'lia-vid-9wdnRtaDE62K43G6H0BgrmwVXzp0YJzvw822h520r149', '9wdnRtaDE62K43G6H0BgrmwVXzp0YJzv', {"pcode":"kxN24yOtRYkiJthl3FdL1eXcRmh_","playerBrandingId":"ODI0MmQ3NjNhYWVjODliZTgzY2ZkMDdi","width":"822px","height":"520px"});(view in My Videos) Copyright by Heiko Ankenbrand 1996-2019

OSPF Instances R80.20

Good day Mates I have recently read about the possibility of creating different OSPF instances in R80.20. This feature is really important for us as we have had issue with OSPF before, and we decided to use static routes instead.I would like to know if anyone has already implemented OSPF instances and if it is working as expected.Thanks in Advance
Admin

White Paper - Getting out of CPUSE Jumbo Jail

Author @Eric_Oakeson Abstract: This white paper is to address a situation where you are trying to update to a newer HFA, but CPUSE says it is trying to uninstall an older hotfix, and the older one doesn’t exist. CPUSE says it’s there and installed, but cannot uninstall it. This could happen when trying to restore from an older backup. The key is finding the Package Key which is hidden, restoring the repository for that package, then uploading the older package. There is an SK will direct you to TAC, but there is also another way to gather the information you need.

Installing Expansion Interface Cards to a Cluster Gateway

Does anyone have the experience of installing expansion interface cards to a cluster gateway.In a case that we have a cluster object with member GW01 and GW02.As installing expansion interface card requires power off the appliance,GW01: Active, GW02: Standby If we install an interface card for GW02 first (power off, install card and power on), would it be able for GW02 to take the active state from GW01 after GW02 has been installed with expansion card?So that we can do the same for GW01 ? (Power off, install card and power on)I am referencing sk57100 but it seems not the same situation as my case.https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk57100&t=1556617929901

Reboot no explanation

Hi, I recently have the issue that a customer from us has an appliance that reboots without explanation. We have noticed following behaviour: [Expert@clusterFW2:0]# last -x |head |tacreboot system boot 2.6.18-92cpx86_6 Fri Apr 12 02:44 (00:03)runlevel (to lvl 3) 2.6.18-92cpx86_6 Fri Apr 12 02:44 - 02:48 (00:03)runlevel (to lvl 6) 2.6.18-92cpx86_6 Fri Apr 12 02:48 - 02:48 (00:00)shutdown system down 2.6.18-92cpx86_6 Fri Apr 12 02:48 - 15:59 (13:10)reboot system boot 2.6.18-92cpx86_6 Fri Apr 12 02:51 (13:07)runlevel (to lvl 3) 2.6.18-92cpx86_6 Fri Apr 12 02:51 - 15:59 (13:07)sseidewi pts/2 dez7acomdv010.in Fri Apr 12 06:05 - 06:25 (00:20)admin pts/2 dez7acomdv002.in Fri Apr 12 09:29 - 09:41 (00:12)admin pts/2 dez7acomdv001.in Fri Apr 12 14:23 - 14:57 (00:33)admin pts/2 dez7acomdv001.in Fri Apr 12 15:46 still logged in This looks like a normal reboot, however runlevel 6 is making me wonder, a normal reboot should not show runlevel6, On messages file I can see the message Restart, but no errors previous to this, system reboots normally. There are no crash dumps available or errors. Can I somehow confirm that the system was not rebooted by simply pressing the power or imputing a command?

Enabled SecureXL means no traffic

Hi there,have anyone got problem with SecureXL after upgrade from R80.10 to R80.20?At beginning I thought that it might be a problem with NAT Templates, as they are disabled on 80.10 and enabled on 80.20 but it's not. I've turned them off and issue persist.Frankly speaking I don't understand what is going on. FW.log shows everything is fine, rules are applied and working, but physically there is no internet communication.And here comes the miracle:When I turn off SecureXL everything goes as it should. I have already opened a Technical Assistance Case, but it looks like they suck more than I do (except one wonderful woman with which we found that SecureXL is an issue). So I decided to ask here, have you guys faced such a crazy issue?RegardsArek
Danny
Danny inside Enterprise Appliances and Gaia OS Monday
views 9106 5 14

HowTo - Creating an scpuser account on Gaia Clish

While reviewing Check Point installations I often encounter setups where the shell of the admin user account was changed to /bin/bash in order to allow copying documents via scp to and from Check Point Gaia systems. This is because the scponly shell isn't known. Follow these steps to create an scpuser for copying documents securely without compromising your admin account. [ R77.30 ] add user scpuser uid 2600 homedir /home/scpuser set user scpuser shell /usr/bin/scponly set user scpuser password save config‍‍‍‍‍‍‍‍ [ R80.x ] add user scpuser uid 2600 homedir /home/scpuser set user scpuser realname Scpuser add rba role scpRole domain-type System readwrite-features expert add rba user scpuser roles scpRole set user scpuser gid 100 shell /usr/bin/scponly set user scpuser password save config‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Open server ISOMorphic failure

was trying to do a clean (Standalone) install on an Open Server last week and ran into a strange issue.It was on a HP DL360 G6 (So while an older server, is on the HCL).The initial install process does fine until it does the detention of the disks to install on. For some reason it picks up both the Array (from the onboard controller, also on the HCL), but it also picks up the ISOMorphic USB as /dev/sda1 as a target.So if you try to install it attempts to create the LVM Across both the array and the USB stick. This obviously breaks the USB stick(as it rewrites the partition table), and obviously won't let you go any further on the install.I tried with a couple of different USB stick, and they all showed the same issue, the USB stc I use has been used to install loads of appliances, so I know its OK for those.The customer managed to find me a USB DVD writer and a disk so I could make an install CD, as this was the only way I could get the **bleep** thing to install. I tried messing with all sorts of BIOS settings to see if I could change the behaviour, but no luckAnyone come across this before? Is there any fix other than "use a DVD"? I previousy ran into this (with the same customer) when I did his R80.10 install, at the time TAC said that there was a fixed ISO, but I downloaded the supposedly fixed one at the time an no luck, so this time I didn't even bother opening a TAC case as I knew I had a workaround.
Danny
Danny inside Enterprise Appliances and Gaia OS a week ago
views 758 7

Performance issue: High pdpd load after R80.20 upgrade - identity agents can't connect

After migrating a HP ProLiant DL380 G7 HA-Cluster from R77.30 to R80.20 today I'm experiencing an extremely high CPU usage by caused the pdpd daemon causing all identity agents not being able to connect and authenticate end users. When users are at home in the evening hours everything becomes normal. Anyone experienced this as well? Besides replacing the gateway with a better sized one is there anything we could tune? The onboard NIC's are in use while HCL recommends to avoid it (Ouch). pdpd is already set to use CPU 8. System Firewall Cluster Node (HA) Type ProLiant DL380 G7 OS Gaia R80.20 JHF (Take 74) @ 64-bit CPUSE Build 1676 CPU 12 Cores 8 licensed | SMT: - | Load 7.23% RAM 14 GB (Free: 0 GB) | Swapping 176 KB SecureXL On | Multi-Queue Interfaces - CoreXL On (11 Cores) | Dynamic Dispatcher: On @Timothy_Hall , this is the result from your Super7: [Executing:]# fwaccel stat +---------------------------------------------------------------------------------+ |Id|Name |Status |Interfaces |Features | +---------------------------------------------------------------------------------+ |0 |SND |enabled |eth8,eth9,eth10,eth11, | | | | |eth4,eth5,eth6,eth7,eth0,| | | | |eth1,eth2,eth3 |Acceleration,Cryptography | | | | | |Crypto: Tunnel,UDPEncap,MD5, | | | | | |SHA1,NULL,3DES,DES,AES-128, | | | | | |AES-256,ESP,LinkSelection, | | | | | |DynamicVPN,NatTraversal, | | | | | |AES-XCBC,SHA256 | +---------------------------------------------------------------------------------+ Accept Templates : disabled by Firewall Layer FWEXT Security disables template offloads from rule #230 Throughput acceleration still enabled. Drop Templates : enabled NAT Templates : disabled by Firewall Layer FWEXT Security disables template offloads from rule #230 Throughput acceleration still enabled.[Executing:]# fwaccel stats -s Accelerated conns/Total conns : 816/44272 (1%) Accelerated pkts/Total pkts : 5463775040/5959914034 (91%) F2Fed pkts/Total pkts : 496138994/5959914034 (8%) F2V pkts/Total pkts : 20585639/5959914034 (0%) CPASXL pkts/Total pkts : 498278614/5959914034 (8%) PSLXL pkts/Total pkts : 2212031456/5959914034 (37%) CPAS inline pkts/Total pkts : 0/5959914034 (0%) PSL inline pkts/Total pkts : 0/5959914034 (0%) QOS inbound pkts/Total pkts : 0/5959914034 (0%) QOS outbound pkts/Total pkts : 0/5959914034 (0%) Corrected pkts/Total pkts : 0/5959914034 (0%)[Executing:]# grep -c ^processor /proc/cpuinfo && /sbin/cpuinfo 12 HyperThreading=disabled[Executing:]# fw ctl affinity -l -r | more CPU 0: eth8 eth9 eth10 eth11 eth4 eth5 eth6 eth7 eth0 eth1 eth2 eth3 CPU 1: fw_5 in.geod usrchkd pepd scanengine_s vpnd mpdaemon pdpd in.acapd in.emaild.smtp lpd in.asessiond rtmd in.msd fwd rad cpd cprid CPU 2: fw_8 in.geod usrchkd pepd scanengine_s vpnd mpdaemon pdpd in.acapd in.emaild.smtp lpd in.asessiond rtmd in.msd fwd rad cpd cprid CPU 3: fw_2 in.geod usrchkd pepd scanengine_s vpnd mpdaemon pdpd in.acapd in.emaild.smtp lpd in.asessiond rtmd in.msd fwd rad cpd cprid CPU 4: fw_9 in.geod usrchkd pepd scanengine_s vpnd mpdaemon pdpd in.acapd in.emaild.smtp lpd in.asessiond rtmd in.msd fwd rad cpd cprid CPU 5: fw_3 in.geod usrchkd pepd scanengine_s vpnd mpdaemon pdpd in.acapd in.emaild.smtp lpd in.asessiond rtmd in.msd fwd rad cpd cprid CPU 6: fw_6 in.geod usrchkd pepd scanengine_s vpnd mpdaemon pdpd in.acapd in.emaild.smtp lpd in.asessiond rtmd in.msd fwd rad cpd cprid CPU 7: fw_0 in.geod usrchkd pepd scanengine_s vpnd mpdaemon in.acapd in.emaild.smtp lpd in.asessiond rtmd in.msd rad cpd cprid CPU 8: CPU 9: fw_4 in.geod usrchkd pepd scanengine_s vpnd mpdaemon in.acapd in.emaild.smtp lpd in.asessiond rtmd in.msd rad cpd cprid CPU 10: fw_7 in.geod usrchkd pepd scanengine_s vpnd mpdaemon in.acapd in.emaild.smtp lpd in.asessiond rtmd in.msd rad cpd cprid CPU 11: fw_1 in.geod usrchkd pepd scanengine_s vpnd mpdaemon in.acapd in.emaild.smtp lpd in.asessiond rtmd in.msd rad cpd cprid All: The current license permits the use of CPUs 0, 1, 2, 3, 4, 5, 6, 7 only.[Executing:]# netstat -ni | more Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 462740 0 0 0 20035876 0 0 0 BMRU eth1 1500 0 0 0 0 0 0 0 0 0 BMU eth2 1500 0 14380 0 0 0 66 0 0 0 BMRU eth3 1500 0 0 0 0 0 0 0 0 0 BMU eth4 1500 0 703032870 0 0 0 717938649 0 0 0 BMRU eth4.604 1500 0 5648687 0 0 0 15032263 0 0 0 BMRU eth4.614 1500 0 2192997 0 0 0 4829218 0 0 0 BMRU eth4.624 1500 0 456325848 0 0 0 518681961 0 0 0 BMRU eth4.634 1500 0 230299374 0 0 0 181932000 0 0 0 BMRU eth4.670 1500 0 33711 0 0 0 14341 0 0 0 BMRU eth4.742 1500 0 8437521 0 0 0 3943037 0 0 0 BMRU eth4.770 1500 0 90401 0 0 0 386716 0 0 0 BMRU eth5 1500 0 238714661 0 0 0 257576241 0 0 0 BMRU eth5.602 1500 0 58496455 0 0 0 54996071 0 0 0 BMRU eth5.605 1500 0 180064740 0 0 0 202893390 0 0 0 BMRU eth5.615 1500 0 149135 0 0 0 443051 0 0 0 BMRU eth6 1500 0 1084032057 0 321 0 1031148166 0 0 0 BMRU eth6.603 1500 0 28780589 0 0 0 29674771 0 0 0 BMRU eth6.606 1500 0 200973355 0 0 0 203472426 0 0 0 BMRU eth6.616 1500 0 60 0 0 0 1375 0 0 0 BMRU eth6.623 1500 0 685674334 0 0 0 679943082 0 0 0 BMRU eth6.626 1500 0 48853 0 0 0 55223 0 0 0 BMRU eth6.633 1500 0 89167501 0 0 0 66527473 0 0 0 BMRU eth6.724 1500 0 79383049 0 0 0 55542371 0 0 0 BMRU eth7 1500 0 1510933184 0 4460 0 1715055862 0 0 0 BMRU eth8 1500 0 410325078 0 2132 0 14642643 0 0 0 BMRU eth8.608 1500 0 395668331 0 0 0 466538 0 0 0 BMRU eth8.800 1500 0 14652423 0 0 0 14176945 0 0 0 BMRU eth9 1500 0 4418240 0 0 0 43687204 0 0 0 BMRU eth10 1500 0 1050639628 0 0 0 934246991 0 0 0 BMRU eth10.601 1500 0 530894165 0 0 0 547398536 0 0 0 BMRU eth10.611 1500 0 209048 0 0 0 154341 0 0 0 BMRU eth10.621 1500 0 456124650 0 0 0 360206871 0 0 0 BMRU eth10.631 1500 0 63407433 0 0 0 29237069 0 0 0 BMRU eth11 1500 0 987797444 0 182 0 1456539685 0 0 0 BMRU eth11.600 1500 0 987793112 0 0 0 1468969765 0 0 0 BMRU lo 16436 0 54653517 0 0 0 54653517 0 0 0 LRU[Executing:]# fw ctl multik stat ID | Active | CPU | Connections | Peak ---------------------------------------------- 0 | Yes | 7 | 5557 | 15247 1 | Yes | 11 | 5542 | 8577 2 | Yes | 3 | 5728 | 8341 3 | Yes | 5 | 5620 | 8465 4 | Yes | 9 | 5850 | 8675 5 | Yes | 1 | 5550 | 8470 6 | Yes | 6 | 5612 | 8364 7 | Yes | 10 | 5796 | 8525 8 | Yes | 2 | 5621 | 8392 9 | Yes | 4 | 5739 | 8788[Executing:]# cpstat os -f multi_cpu Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 0| 76| 24| 76| ?| 4922| | 2| 8| 32| 60| 40| ?| 4922| | 3| 11| 29| 60| 40| ?| 4923| | 4| 9| 31| 60| 40| ?| 4923| | 5| 12| 31| 57| 43| ?| 4923| | 6| 9| 32| 59| 41| ?| 4924| | 7| 13| 26| 62| 38| ?| 4924| | 8| 7| 31| 62| 38| ?| 4924| | 9| 0| 2| 98| 2| ?| 4925| | 10| 9| 26| 65| 35| ?| 4925| | 11| 12| 26| 62| 38| ?| 4926| | 12| 7| 29| 63| 37| ?| 4926| ---------------------------------------------------------------------------------[Executing:]# fw ctl affinity -l -a eth8: CPU 0 eth9: CPU 0 eth10: CPU 0 eth11: CPU 0 eth4: CPU 0 eth5: CPU 0 eth6: CPU 0 eth7: CPU 0 eth0: CPU 0 eth1: CPU 0 eth2: CPU 0 eth3: CPU 0 fw_0: CPU 7 fw_1: CPU 11 fw_2: CPU 3 fw_3: CPU 5 fw_4: CPU 9 fw_5: CPU 1 fw_6: CPU 6 fw_7: CPU 10 fw_8: CPU 2 fw_9: CPU 4 in.geod: CPU 1 2 3 4 5 6 7 9 10 11 usrchkd: CPU 1 2 3 4 5 6 7 9 10 11 pepd: CPU 1 2 3 4 5 6 7 9 10 11 scanengine_s: CPU 1 2 3 4 5 6 7 9 10 11 vpnd: CPU 1 2 3 4 5 6 7 9 10 11 mpdaemon: CPU 1 2 3 4 5 6 7 9 10 11 pdpd: CPU 8 in.acapd: CPU 1 2 3 4 5 6 7 9 10 11 in.emaild.smtp: CPU 1 2 3 4 5 6 7 9 10 11 lpd: CPU 1 2 3 4 5 6 7 9 10 11 in.asessiond: CPU 1 2 3 4 5 6 7 9 10 11 rtmd: CPU 1 2 3 4 5 6 7 9 10 11 in.msd: CPU 1 2 3 4 5 6 7 9 10 11 fwd: CPU 1 2 3 4 5 6 rad: CPU 1 2 3 4 5 6 7 9 10 11 cpd: CPU 1 2 3 4 5 6 7 9 10 11 cprid: CPU 1 2 3 4 5 6 7 9 10 11 The current license permits the use of CPUs 0, 1, 2, 3, 4, 5, 6, 7 only. Thanks in advance for any comments and suggestions.