This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Oliver_222
Participant
‎2023-10-13 05:07 AM

High CPU load on wsman TCP/5985 traffic

Once a month there is a strange behavior of CPU load.

We have configured to send events from sources to the WEC event collector on port 5985.

Usually the CPU load is normal.
But on a certain day through cpview we see that all the load is due to wsman traffic on port 5985. CPU load is 90-100% and firewall becomes even unavailable.

We tried to allow all traffic from our subnet to the WEC using fast accel, but it doesn't work.

The problem is solved only by blocking this traffic. Then we gradually allow traffic up to the WEC so that the event queue goes up to it. We allow only part of the subnet to pass traffic, then when the load is reduced we allow the next part of the subnet and so on until all subnets are in the allowed rules again.

Can you tell me what the problem might be? Can it be related to CheckPoint?

0 Kudos
1 Reply
Timothy_Hall
Legend Legend
Legend
‎2023-10-13 09:06 AM

Sounds like you are dealing with an occasional elephant flow (or flows) on this port.  What does fw ctl multik print_heavy_conn show if run within 24 hours of one of these events?  What is your code and HFA level?

If the fast_accel did not improve the situation it almost certainly means that traffic is F2F/slowpath which is immune to fast_accel definitions.  You'll have to determine why that traffic is F2F before you can improve the situation.  Once you provide your code level I'll provide further steps.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events