This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Joe_Kanaszka
Advisor
‎2025-12-18 06:36 AM
Jump to solution

Installing Event Policy EXTREMELY slow on SmartEvent Smart-1 600-S appliance

Hey guys.  Small Network.  (2) 9100 Security Gateways - Cluster XL.  SMS is a VM.  Smart Event is logging server and running on a Smart-1 600-S appliance.

SGs are running R81.20 Take 118

SMS and Smart Event are running R81.20 Take 119

 

Whenever I need to change my Event Policy and install it - I might as well go grab a cup of coffee because it literally takes a few minutes.

 

Why is this?  What could be causing this slowness?

 

 

Labels
3 Solutions

Accepted Solutions
Don_Paterson
MVP Gold
MVP Gold
‎2025-12-18 08:55 AM
In response to Joe_Kanaszka
Jump to solution

You're welcome. 

That sounds good, and maybe even normal for SmartEvent. 

No issues with the setup. It's a good deployment option and having log and event management separate from the SMS is ideal. 

The CU does all the heavy lifting, trawling through incoming logs and keeping Event Candidates in memory until a threshold is reached and then it notifies the event server of the new event. That's for events/incidents  that depend on multiple logs, and dependant on the event policy. 

A single IPS log is all that is needed for a new event of that type. 

View solution in original post

(1)
Timothy_Hall
MVP Gold
MVP Gold
‎2025-12-18 11:39 AM
In response to Don_Paterson
Jump to solution

As @Don_Paterson said, process fwm is heavily involved with installing the event policy and tuning SmartEvent.  This is why the legacy SmartEvent Policy Editor GUI is separate from the main SmartConsole GUI: only fwm can handle it.  This is also why some other legacy functions remain in the old-school SmartDashboard GUI: fwm dependency.

Unfortunately, fwm is very old and single-threaded, so the speed of operations like installing the event policy is largely constrained by the processing power of a single core.  I wasn't able to determine which processor is used in the 600-S, but its replacement, the 700, uses "Intel(R) Celeron(R) CPU J4105 @ 1.50GHz," so I would expect the 600-S to use something similar.  As you can see, they do not put high-power processors such as Xeon in their lower-end Smart-1 models.

Thankfully with each new release, responsibilities are taken away from fwm and added into cpm or other new processes.  Quite a bit of this happened for R82, and full policy installation times saw definite improvement as fwm was moved further out of the loop.  Haven't looked at R82.10 yet, but I would expect this process of getting away from fwm to continue.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

the_rock
MVP Diamond
MVP Diamond
‎2025-12-18 12:05 PM
In response to Timothy_Hall
Jump to solution

I personally found fwm is totally fine in R82, never had any problems in the lab or with any clients.

Best,
Andy

View solution in original post

(1)
19 Replies
the_rock
MVP Diamond
MVP Diamond
‎2025-12-18 07:24 AM
Jump to solution

Hey brother,

You are strictly referring to applying SE policy from smart event console itself, right?

Best,
Andy
Joe_Kanaszka
Advisor
‎2025-12-18 07:28 AM
In response to the_rock
Jump to solution

Hey Andy - yes sir.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-18 07:30 AM
In response to Joe_Kanaszka
Jump to solution

Man, no need to call me sir, I just turned 46, haha lol.

Anywho, mind sharing cpu/memory usage from top command? Also, how much RAM on this smart-1? Since its all in one box (mgmt + se), that would usually warrant for at least 32 GB of ram.

Best,
Andy
Joe_Kanaszka
Advisor
‎2025-12-18 08:02 AM
In response to the_rock
Jump to solution

Thanks again Andy.  My SMS is a separate VM.  Looks like this Smart Event box has 16GB Mem / 6 CPUs

Installing event policy does spike two of the 6 CPUs

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-18 08:07 AM
In response to Joe_Kanaszka
Jump to solution

If its separate VM, that sounds like good amount of resources, specially 6 CPUs and 16 GB of ram. Mine is 4 CPUs and 8 GB of ram in the lab and its fine. Did you try evrestart or quick reboot to see if it helps?

Best,
Andy
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-18 07:36 AM
In response to Joe_Kanaszka
Jump to solution

Btw, just to be 100% sure, I assume this is policy you meant?

Screenshot_1.png

Best,
Andy
Joe_Kanaszka
Advisor
‎2025-12-18 08:03 AM
In response to the_rock
Jump to solution

Yes

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-18 12:32 PM
In response to Joe_Kanaszka
Jump to solution

Hey Joe,

Just a thought, but since really doing evstop; evstart would not cause any issues, I would really give that a go and see if its any faster. If it is, just monitor for 24 hours and then compare.

Best,
Andy
0 Kudos
Don_Paterson
MVP Gold
MVP Gold
‎2025-12-18 07:52 AM
Jump to solution

In the lower right hand side of the SmartEvent gui there is a status link. 

How does the status and sizing look?

Do you have any more 'complex' event definitions?

I would also check the output of top or htop and/or cpview. You can do that before and during to see resources utilisation. 

The two cpse.. processed are the SME server and SME Correlation Unit

Cpview can show log receive rates, in the Advanced > Management area (if I remember that path correctly)  

The Correlation Unit may be busy analysing a lot of log volume while also doing the policy installation, and that'swhy it is slow. . 

If you rebooted already you could still try evstop and evstart.

You could try the command CPLogInvestigator to get more visibility of log volumes. 

I've always found SME policy installations took minutes.

 

(1)
Joe_Kanaszka
Advisor
‎2025-12-18 08:09 AM
In response to Don_Paterson
Jump to solution

Good morning and thank you Don!.  Status looks good - all green.  Scale is according to recommendation.   Actually i just installed Event Policy again and it did not take that long...maybe two minutes.

 

In my case, the SME is both the Correlation unit and the log server.  Any issue there?

Don_Paterson
MVP Gold
MVP Gold
‎2025-12-18 08:55 AM
In response to Joe_Kanaszka
Jump to solution

You're welcome. 

That sounds good, and maybe even normal for SmartEvent. 

No issues with the setup. It's a good deployment option and having log and event management separate from the SMS is ideal. 

The CU does all the heavy lifting, trawling through incoming logs and keeping Event Candidates in memory until a threshold is reached and then it notifies the event server of the new event. That's for events/incidents  that depend on multiple logs, and dependant on the event policy. 

A single IPS log is all that is needed for a new event of that type. 

(1)
the_rock
MVP Diamond
MVP Diamond
‎2025-12-18 10:08 AM
In response to Joe_Kanaszka
Jump to solution

But even 2 mins, seems a bit long, should not take longer than a minute, in my experience.

Best,
Andy
0 Kudos
Don_Paterson
MVP Gold
MVP Gold
‎2025-12-18 10:59 AM
In response to the_rock
Jump to solution

 

You are right - It may be, but will depend on what's going on in the box.

 

Time to talk tools... Maybe recommending hcp -r all is a good idea, to see what Health Check Point reports.

I would also run Doctor Log

/opt/CPrt-R82/scripts/doctor-log.sh

 

I just installed policy in my lab, which is one VM (R82 T44), running both SMS and SME and has 8 cores (i9 - 14900 - far more powerful than a Smart-1 600S) and 16GB RAM, and fast NVMe storage.

I enabled about 20 new event definitions before I installed and it took about 90 seconds.

Then I enabled 10 or so more and installed again and that took 70 seconds.

Since FWM is involved and tends to use only one core that could be a bottleneck.

FWM is effectively single-threaded for policy compilation; only one core is used for the heavy work.

@Timothy_Hall  Will surely have a few words to say about FWM being involved 😉 

 

SME-PolicyInstall.png

 

SME-PolicyInstall-fwm.png

(1)
the_rock
MVP Diamond
MVP Diamond
‎2025-12-18 11:04 AM
In response to Don_Paterson
Jump to solution

I thought maybe has to do with java process consuming high memory, but since we dont have the facts about it yet, hence I asked for output of top command.

Best,
Andy
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2025-12-18 11:39 AM
In response to Don_Paterson
Jump to solution

As @Don_Paterson said, process fwm is heavily involved with installing the event policy and tuning SmartEvent.  This is why the legacy SmartEvent Policy Editor GUI is separate from the main SmartConsole GUI: only fwm can handle it.  This is also why some other legacy functions remain in the old-school SmartDashboard GUI: fwm dependency.

Unfortunately, fwm is very old and single-threaded, so the speed of operations like installing the event policy is largely constrained by the processing power of a single core.  I wasn't able to determine which processor is used in the 600-S, but its replacement, the 700, uses "Intel(R) Celeron(R) CPU J4105 @ 1.50GHz," so I would expect the 600-S to use something similar.  As you can see, they do not put high-power processors such as Xeon in their lower-end Smart-1 models.

Thankfully with each new release, responsibilities are taken away from fwm and added into cpm or other new processes.  Quite a bit of this happened for R82, and full policy installation times saw definite improvement as fwm was moved further out of the loop.  Haven't looked at R82.10 yet, but I would expect this process of getting away from fwm to continue.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
the_rock
MVP Diamond
MVP Diamond
‎2025-12-18 12:05 PM
In response to Timothy_Hall
Jump to solution

I personally found fwm is totally fine in R82, never had any problems in the lab or with any clients.

Best,
Andy
(1)
the_rock
MVP Diamond
MVP Diamond
‎2025-12-26 11:13 AM
Jump to solution

Hey brother,

Happy holidays!

Got this sorted out?

Best,
Andy
Joe_Kanaszka
Advisor
‎2025-12-29 06:48 AM
In response to the_rock
Jump to solution

Morning Andy - Happy Holidays to you as well!  Yep - just came back from Holiday.   I just marked the question as solved.  Thanks again!

the_rock
MVP Diamond
MVP Diamond
‎2025-12-29 06:49 AM
In response to Joe_Kanaszka
Jump to solution

Nice! Where did you go? : - )

Hopefully somewhere warm...I feel like these days even Antarctica is warmer than Canada haha

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events