This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Diego_dg
Collaborator
‎2018-09-11 01:39 AM

FTP causes 100% CPU on one core

Hello, we have noticed that uploading some kind of files from the inside network to the internet using FTP causes one of the cores of the appliance to reach 100% during the file transfer. Using cpview (PM-Stats) we see that PM: 183_CMI_ADVANCED_PATTERNS_DATA_ seems to be responsible for this high CPU use, but if we disable the IPS (ips off) the issue remains. The same FTP goes through other checkpoint firewalls that don't show this behaviour. Please, have somebody experienced this issue?

Thanks in advance.

17 Replies
G_W_Albrecht
Legend Legend
Legend
‎2018-09-11 03:07 AM

Your issue sounds like sk105411 When transferring a large file via FTP, fw_worker process consumes 100% CPU     

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Diego_dg
Collaborator
‎2018-09-11 03:21 AM

Thanks for your help! yes, the behaviour is very similar, but SYN attack protection is not enabled (and we have a Take newer than the one that fixed the issue)... 

I forgot to especify that the issue only happens with certain kind of files, usually with: Material eXchange Format (MXF) (professional audio and video files)

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-09-11 05:18 AM
In response to Diego_dg

Then i would compare the configuration of the GWs that do not show the issue with the one that does - maybe differences in TP config ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Diego_dg
Collaborator
‎2018-09-11 05:43 AM
In response to G_W_Albrecht

Yes, the main difference between both GWs are the blades: the problematic GW has IPS, APP & URLF and TE, the other GW that doesn't show this behaviour has only AV & AB (we moved AV&AB from the other GW to check if this could fix, the issue but it didn't)

We suspect IPS could be the cause, but disabling it (through "ips off" command) doesn't fix the issue

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-09-11 06:31 AM
In response to Diego_dg

Disabling IPS is not such a good idea - but i would exclude FTP to internal server from all TP (as it is not needed at all) to see if that resolves the issue.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Diego_dg
Collaborator
‎2018-09-11 06:41 AM
In response to G_W_Albrecht

Yes, I agree, we only did it for testing. We already had created an exception for this traffic on IPS and also excluded it on TP and it didn't fix the issue.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2018-09-11 03:47 PM
In response to Diego_dg

I'm assuming the core hitting 100% is a Firewall Worker core (kernel instance) and not an SND/IRQ core.

After running "ips off" did you start a completely brand new FTP connection?  If the FTP connection is already established and passing data, running "ips off" then will not have any effect as it is only applied to new connections.

As a test, try disabling APCL/URLF, installing policy and run the FTP transfer again.  If it substantially improves (and I suspect it will) you need to rework your APCL/URLF policy to ensure FTP traffic does not match any rule invoking APCL/URLF.  In an ordered layer this means the FTP traffic "falls off" the end of the APCL/URLF layer without matching any APCL/URLF rule at all.  There is no way to define an explicit APCL/URLF rule to achieve this same effect.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Diego_dg
Collaborator
‎2018-09-12 02:54 AM
In response to Timothy_Hall

Thanks! it seems that the APCL/URLF could be the cause of the issue: we disabled all the rules and the issue didn't appear, we are moving the rules to the other firewall and check the behaviour for a longer period of time.

Diego_dg
Collaborator
‎2018-09-12 06:30 AM

We moved the APCL/URLF rules to the other GW and disabled the blade on the first one and now the issue is on the second GW, so it seems that this especific format of file and the APCL/URLF blade doesn't deal well together... we would need to find out what APCL/URLF rule is hitting this traffic... 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-09-12 07:51 AM
In response to Diego_dg

I would exclude this traffic from TP completely - as you can assume that it is not infected anyway and not downloaded but uploaded, this could make much sense...

ALso you should see the rule hit in logs...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Diego_dg
Collaborator
‎2018-09-12 08:01 AM

Yes, we have excluded it from TP, but the problem is with some Application Control rule that we still have not identified... and there is no way to configure exceptions on Application Control, as far as I know...

0 Kudos
Vladimir
Champion
Champion
‎2018-09-12 10:56 AM
In response to Diego_dg

Give this a shot:

0 Kudos
Diego_dg
Collaborator
‎2018-09-12 10:12 PM
In response to Vladimir

Thanks! but I think this screen is from R80.10 and we are running R77.30, there is a similar screen on R77.30 but is for IPS exceptions, not for APCTL/URLF

0 Kudos
Diego_dg
Collaborator
‎2018-09-20 06:43 AM

Hi again, we are still making tests (we should not impact on the service, so testing is a slow process...), we have confirmed that the APCTL/URLF is the cause of the issue, but the behaviour is a bit odd: the issue appears even with no rules on the APCTL/URLF policy. I mean, we enabled again the blades with all rules disabled and we noticed that since then, some traffic causes again very high use of CPU on some cores (around 80%)... 

0 Kudos
Diego_dg
Collaborator
‎2018-09-25 11:11 PM

Hi! the issue is fixed (thanks to checkpoint support). Putting the FTP negated service on all the APCTL/URLF rules that this traffic could hit did the trick.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2018-09-26 05:12 AM
In response to Diego_dg

So you exposed the Service field of the R77.30 APCL/URLF policy, added FTP to a rule then negated that service, essentially causing a condition where no APCL/URLF rule was matched for FTP connections, correct?

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Diego_dg
Collaborator
‎2018-09-26 05:25 AM
In response to Timothy_Hall

Yes, it's correct. After doing this, ftp transfers don't cause 100% CPU use anymore. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events