Re: IPads and CPU usage

Moudar · ‎2024-09-25

Hi

How is it possible that just two iPads are utilizing about 18% of the CPU on our 6500 appliance?

so, 10.10.49.173 and 10.10.34.180 are IPads and CPU usage is about 18%

These iPads were definitely downloading the latest upgrade, but what if all the other iPads did the same simultaneously? We have around 3,000 iPads on our network!

How about the idea of using SecureXL Fast Accelerator for all traffic to and from Apple, for example?

Lesley · ‎2024-09-25

Depends what blades are enabled on the fw and if you do https inspection?

What download speed are they getting via the firewall? You can see this also in cpview

Third fast accel you need to add rules based on IP so example:

Source: 10.10.49.0/24 (i pad network) destination should be any, since apple uses cloud service you cannot add 1 IP and then port 443

I assume more device are in 10.10. and therefore you don't want to whitelist based on this. In order to whitelist you need to stop inspection on the traffic, so no more IPS etc. So long story short fastaccel is more for internal traffic like backup that you do not want to inspect. In this case i don't think it is a good solution.

-------
If you like this post please give a thumbs up(kudo)! 🙂

Moudar · ‎2024-09-25

All blades are active.

The IPad network is 50Mb speed, using a limit object

I don't know exactly how fast accel works but my thought is to have source our IPad network for example 10.10.0.0/16 and destination 17.0.0.0/8, something like that?!

AkosBakos · ‎2024-09-25

Hi @Moudar

Yes, the fast accel idea is correct, but if I were you I would have a call to the Security team, to get an approval the change.

Akos

----------------
\m/_(>_<)_\m/

AkosBakos · ‎2024-09-25

Hi @Moudar

This depends on the download speed. One connection sticks to one core. Do you have information about this connection? How much traffic was generated by one iPad? Mainly througput?

The Fast Accel sk is this: https://support.checkpoint.com/results/sk/sk156672

If you set a Fast Accel rule, this traffic will be load only the SND-s -> so there could be a bottleneck.

Dynamic balancing is enabled on this gateway?

However the best way would be that, the iPads do the downloads out of this gateway
What kind of EMM or MDM solution is in use for the iPads?

Akos

----------------
\m/_(>_<)_\m/

Moudar · ‎2024-09-25

We have a limit object on URL policy that limits the speed of download to 50Mb, so no IPad can reach more than 50Mb,

 show dynamic-balancing state
Dynamic Balancing is currently On

MDM is Microsoft Intune

AkosBakos · ‎2024-09-25

Hm, and I think the iPads connecting via full tunnel VPN to the corporate network.....

----------------
\m/_(>_<)_\m/

_Val_ · ‎2024-09-25

Exactly. If Mobile Access is on, and all the traffic is routed through the VPN GW, that might be a reason. Mobile Access Blade is known to be a performance bottleneck...

AkosBakos · ‎2024-09-25

Great. 🙂

What is came into my mind is that, what if we create a split domain like in this SK for O365?

https://support.checkpoint.com/results/sk/sk167000

So we create a Group with Exclusion, and we exclude the the whole 17.0.0.0/8 ?

I asked our Intune team, and there is no possibility to handle somehow the software upgrade (like WSUS server)

I hope it helps.

Akos

----------------
\m/_(>_<)_\m/

Moudar · ‎2024-09-25

Mobile blade is active but only for VPN users to log in using "Remote Access for Windows"

All iPads connect to our Wi-Fi access points, which are directly linked to the Wireless LAN Controller (WLC) and the data center, without any VPN in between.

Maybe i am missing something here?!

Moudar · ‎2024-09-25

I hope I’ve understood your comment correctly!

All iPads connect to our Wi-Fi access points, which are directly linked to the Wireless LAN Controller (WLC) and the data center, without any VPN in between.

This is a municipal network serving schools and similar activities.

AkosBakos · ‎2024-09-25

Ohh, I see. I thought to the Remote Access VPN. In this case, this not a soluion.

The SD-WAN can solve tje problem, if all endpoints in the topology have public internet access. Maybe?

Akos

----------------
\m/_(>_<)_\m/

PhoneBoy · ‎2024-09-25

To have a meaningful discussion about how to resolve this, we need to see Super Seven output: https://community.checkpoint.com/t5/Scripts/S7PAC-Super-Seven-Performance-Assessment-Commands/m-p/40...

Moudar · ‎2024-09-25

[Expert@fw01:0]# ./7-commands
./7-commands: line 1: T: command not found
+-----------------------------------------------------------------------------+
| Super Seven Performance Assessment Commands v0.5   (Thanks to Timothy Hall) |
+-----------------------------------------------------------------------------+
| Inspecting your environment: OK                                             |
| This is a firewall....(continuing)                                          |
|                                                                             |
| Referred pagenumbers are to be found in the following book:                 |
| Max Power: Check Point Firewall Performance Optimization - Second Edition   |
|                                                                             |
| Available at http://www.maxpowerfirewalls.com/                              |
|                                                                             |
+-----------------------------------------------------------------------------+
| Command #1: fwaccel stat                                                    |
|                                                                             |
| Check for : Accelerator Status must be enabled (R77.xx/R80.10 versions)     |
|             Status must be enabled (R80.20 and higher)                      |
|             Accept Templates must be enabled                                |
|             Message "disabled" from (low rule number) = bad                 |
|                                                                             |
| Chapter 9: SecureXL throughput acceleration                                 |
| Page 278                                                                    |
+-----------------------------------------------------------------------------+
| Output:                                                                     |
+---------------------------------------------------------------------------------+
|Id|Name     |Status     |Interfaces               |Features                      |
+---------------------------------------------------------------------------------+
|0 |KPPAK    |enabled    |Sync,Mgmt,eth1-01,       |Acceleration,Cryptography     |
|  |         |           |eth1-03,eth1-04          |                              |
|  |         |           |                         |Crypto: Tunnel,UDPEncap,MD5,  |
|  |         |           |                         |SHA1,3DES,DES,AES-128,AES-256,|
|  |         |           |                         |ESP,LinkSelection,DynamicVPN, |
|  |         |           |                         |NatTraversal,AES-XCBC,SHA256, |
|  |         |           |                         |SHA384,SHA512                 |
+---------------------------------------------------------------------------------+

Accept Templates : enabled
Drop Templates   : enabled
NAT Templates    : enabled
LightSpeed Accel : disabled


+-----------------------------------------------------------------------------+
| Command #2: fwaccel stats -s                                                |
|                                                                             |
| Check for : Accelerated conns/Totals conns:  >25% good, >50% great          |
|             Accelerated pkts/Total pkts   :  >50% great                     |
|             PXL pkts/Total pkts           :  >50% OK                        |
|             F2Fed pkts/Total pkts         :  <30% good, <10% great          |
|                                                                             |
| Chapter 9: SecureXL throughput acceleration                                 |
| Page 287, Packet/Throughput Acceleration: The Three Kernel Paths            |
+-----------------------------------------------------------------------------+
| Output:                                                                     |
Accelerated conns/Total conns    : 322/55702 (0%)
LightSpeed conns/Total conns     : 0/55702 (0%)
Accelerated pkts/Total pkts      : 81827077067/92068000877 (88%)
LightSpeed pkts/Total pkts       : 0/92068000877 (0%)
F2Fed pkts/Total pkts            : 10240923810/92068000877 (11%)
F2V pkts/Total pkts              : 441769332/92068000877 (0%)
CPASXL pkts/Total pkts           : 3381281037/92068000877 (3%)
PSLXL pkts/Total pkts            : 75181471945/92068000877 (81%)
CPAS pipeline pkts/Total pkts    : 0/92068000877 (0%)
PSL pipeline pkts/Total pkts     : 0/92068000877 (0%)
QOS inbound pkts/Total pkts      : 0/92068000877 (0%)
QOS outbound pkts/Total pkts     : 0/92068000877 (0%)
Corrected pkts/Total pkts        : 0/92068000877 (0%)


+-----------------------------------------------------------------------------+
| Command #3: grep -c ^processor /proc/cpuinfo && /sbin/cpuinfo               |
|                                                                             |
| Check for : If number of cores is roughly double what you are excpecting,   |
|             hyperthreading may be enabled                                   |
|                                                                             |
| Chapter 7: CoreXL Tuning                                                    |
| Page 239                                                                    |
+-----------------------------------------------------------------------------+
| Output:                                                                     |
8
HyperThreading=enabled


+-----------------------------------------------------------------------------+
| Command #4: fw ctl affinity -l -r                                           |
|                                                                             |
| Check for : SND/IRQ/Dispatcher Cores, # of CPU's allocated to interface(s)  |
|             Firewall Workers/INSPECT Cores, # of CPU's allocated to fw_x    |
|             R77.30: Support processes executed on ALL CPU's                 |
|             R80.xx: Support processes only executed on Firewall Worker Cores|
|                                                                             |
| Chapter 7: CoreXL Tuning                                                    |
| Page 221                                                                    |
+-----------------------------------------------------------------------------+
| Output:                                                                     |
no stats available
no stats available
CPU 0:
CPU 1: fw_5 (active)
lpd core_uploader cprid usrchkd rtmd vpnd in.asessiond in.msd mpdaemon pepd in.acapd wsdnsd in.emaild.smtp rad in.geod in.emaild.pop3 in.pingd pdpd fwd topod cprid msgd cpd
CPU 2: fw_3 (active)
lpd core_uploader cprid usrchkd rtmd vpnd in.asessiond in.msd mpdaemon pepd in.acapd wsdnsd in.emaild.smtp rad in.geod in.emaild.pop3 in.pingd pdpd fwd topod cprid msgd cpd
CPU 3: fw_1 (active)
lpd core_uploader cprid usrchkd rtmd vpnd in.asessiond in.msd mpdaemon pepd in.acapd wsdnsd in.emaild.smtp rad in.geod in.emaild.pop3 in.pingd pdpd fwd topod cprid msgd cpd
CPU 4:
CPU 5: fw_4 (active)
lpd core_uploader cprid usrchkd rtmd vpnd in.asessiond in.msd mpdaemon pepd in.acapd wsdnsd in.emaild.smtp rad in.geod in.emaild.pop3 in.pingd pdpd fwd topod cprid msgd cpd
CPU 6: fw_2 (active)
lpd core_uploader cprid usrchkd rtmd vpnd in.asessiond in.msd mpdaemon pepd in.acapd wsdnsd in.emaild.smtp rad in.geod in.emaild.pop3 in.pingd pdpd fwd topod cprid msgd cpd
CPU 7: fw_0 (active)
lpd core_uploader cprid usrchkd rtmd vpnd in.asessiond in.msd mpdaemon pepd in.acapd wsdnsd in.emaild.smtp rad in.geod in.emaild.pop3 in.pingd pdpd fwd topod cprid msgd cpd
All:
Interface Sync: has multi queue enabled
Interface Mgmt: has multi queue enabled
Interface eth1-01: has multi queue enabled
Interface eth1-03: has multi queue enabled
Interface eth1-04: has multi queue enabled


+-----------------------------------------------------------------------------+
| Command #5: netstat -ni                                                     |
|                                                                             |
| Check for : RX/TX errors                                                    |
|             RX-DRP % should be <0.1% calculated by (RX-DRP/RX-OK)*100       |
|             TX-ERR might indicate Fast Ethernet/100Mbps Duplex Mismatch     |
|                                                                             |
| Chapter 2: Layers 1&2 Performance Optimization                              |
| Page 28-35                                                                  |
|                                                                             |
| Chapter 7: CoreXL Tuning                                                    |
| Page 204                                                                    |
| Page 206 (Network Buffering Misses)                                         |
+-----------------------------------------------------------------------------+
| Output:                                                                     |
Kernel      Interface  table
Iface       MTU        Met    RX-OK        RX-ERR  RX-DRP  RX-OVR  TX-OK        TX-ERR  TX-DRP  TX-OVR  Flg
Mgmt        1500       0      0            0       0       0       0            0       0       0       BMU
Sync        1500       0      329575016    0       0       0       628024755    0       0       0       BMRU
bond0       1500       0      26631989142  0       0       0       60538593213  0       0       0       BMmRU
bond0.90    1500       0      873969112    0       0       0       2268163407   0       0       0       BMRU
bond0.255   1500       0      533561833    0       0       0       1474327702   0       0       0       BMRU
bond0.259   1500       0      2280983440   0       0       0       5772005086   0       0       0       BMRU
bond0.277   1500       0      106537       0       0       0       554906       0       0       0       BMRU
bond0.409   1500       0      18550183     0       0       0       10936491952  0       0       0       BMRU
bond0.418   1500       0      488310780    0       0       0       1286864766   0       0       0       BMRU
bond0.497   1500       0      7008872      0       0       0       6979566      0       0       0       BMRU
bond0.504   1500       0      10359        0       0       0       41537        0       0       0       BMRU
bond0.530   1500       0      7263047939   0       0       0       12582478714  0       0       0       BMRU
bond0.560   1500       0      41232015     0       0       0       77213221     0       0       0       BMRU
bond0.561   1500       0      77216786     0       0       0       112916427    0       0       0       BMRU
bond0.586   1500       0      15034044946  0       0       0       26010983741  0       0       0       BMRU
bond0.700   1500       0      4000190      0       0       0       2931603      0       0       0       BMRU
bond0.2053  1500       0      9745189      0       0       0       6440514      0       0       0       BMRU
eth1-01     1500       0      60293754384  0       0       0       27315239367  0       0       0       ABMRU
eth1-03     1500       0      14273332500  0       0       0       31712433868  0       0       0       BMsRU
eth1-04     1500       0      12358585857  0       0       0       28826105847  0       0       0       BMsRU
lo          65536      0      42734351     0       0       0       42734351     0       0       0       LMdNRU
vpnt10      1500       0      0            0       0       0       2854         0       0       0       MOPRU
vpnt11      1500       0      0            0       0       0       0            0       0       0       MOPRU

interface eth1-01: There were no RX drops in the past 0.5 seconds
interface eth1-01 rx_missed_errors  : 0
interface eth1-01 rx_fifo_errors    : 0
interface eth1-01 rx_no_buffer_count: 0

interface eth1-03: There were no RX drops in the past 0.5 seconds
interface eth1-03 rx_missed_errors  : 0
interface eth1-03 rx_fifo_errors    : 0
interface eth1-03 rx_no_buffer_count: 0

interface eth1-04: There were no RX drops in the past 0.5 seconds
interface eth1-04 rx_missed_errors  : 0
interface eth1-04 rx_fifo_errors    : 0
interface eth1-04 rx_no_buffer_count: 0



+-----------------------------------------------------------------------------+
| Command #6: fw ctl multik stat                                              |
|                                                                             |
| Check for : Large # of conns on Worker 0 - IPSec VPN/VoIP?                  |
|             Large imbalance of connections on a single or multiple Workers  |
|                                                                             |
| Chapter 7: CoreXL Tuning                                                    |
| Page 241                                                                    |
|                                                                             |
| Chapter 8: CoreXL VPN Optimization                                          |
| Page 256                                                                    |
+-----------------------------------------------------------------------------+
| Output:                                                                     |
ID  | Active  | CPU    | Connections | Peak
-----------------------------------------------
0   | Yes     | 7      |        8953 |    14823
1   | Yes     | 3      |        9709 |    16804
2   | Yes     | 6      |        9519 |    15751
3   | Yes     | 2      |        9194 |    16090
4   | Yes     | 5      |        9651 |    15266
5   | Yes     | 1      |        9506 |    15967

+-----------------------------------------------------------------------------+
| Command #7: cpstat os -f multi_cpu -o 1 -c 5                                |
|                                                                             |
| Check for : High SND/IRQ Core Utilization                                   |
|             High Firewall Worker Core Utilization                           |
|                                                                             |
| Chapter 6: CoreXL & Multi-Queue                                             |
| Page 173                                                                    |
+-----------------------------------------------------------------------------+
| Output:                                                                     |



Processors load
---------------------------------------------------------------------------------
|CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec|
---------------------------------------------------------------------------------
|   1|           0|            15|          85|      15|        ?|       1208992|
|   2|           7|            56|          37|      63|        ?|       1208993|
|   3|           7|            53|          40|      60|        ?|       1208993|
|   4|           6|            57|          37|      63|        ?|       1208993|
|   5|           0|            16|          84|      16|        ?|       1208992|
|   6|           5|            59|          36|      64|        ?|       1208991|
|   7|           5|            65|          30|      70|        ?|       1208992|
|   8|           6|            60|          35|      65|        ?|       1208974|
---------------------------------------------------------------------------------





Processors load
---------------------------------------------------------------------------------
|CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec|
---------------------------------------------------------------------------------
|   1|           0|            15|          85|      15|        ?|       1208992|
|   2|           7|            56|          37|      63|        ?|       1208993|
|   3|           7|            53|          40|      60|        ?|       1208993|
|   4|           6|            57|          37|      63|        ?|       1208993|
|   5|           0|            16|          84|      16|        ?|       1208992|
|   6|           5|            59|          36|      64|        ?|       1208991|
|   7|           5|            65|          30|      70|        ?|       1208992|
|   8|           6|            60|          35|      65|        ?|       1208974|
---------------------------------------------------------------------------------





Processors load
---------------------------------------------------------------------------------
|CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec|
---------------------------------------------------------------------------------
|   1|           0|            15|          85|      15|        ?|       5078253|
|   2|           4|            56|          40|      60|        ?|       5078256|
|   3|           4|            63|          33|      67|        ?|       5078258|
|   4|           5|            52|          43|      57|        ?|       5078255|
|   5|           0|            16|          84|      16|        ?|       5078253|
|   6|           4|            50|          45|      55|        ?|       5078249|
|   7|           2|            61|          37|      63|        ?|       5078250|
|   8|           2|            59|          40|      60|        ?|       5078180|
---------------------------------------------------------------------------------





Processors load
---------------------------------------------------------------------------------
|CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec|
---------------------------------------------------------------------------------
|   1|           0|            15|          85|      15|        ?|       5078253|
|   2|           4|            56|          40|      60|        ?|       5078256|
|   3|           4|            63|          33|      67|        ?|       5078258|
|   4|           5|            52|          43|      57|        ?|       5078255|
|   5|           0|            16|          84|      16|        ?|       5078253|
|   6|           4|            50|          45|      55|        ?|       5078249|
|   7|           2|            61|          37|      63|        ?|       5078250|
|   8|           2|            59|          40|      60|        ?|       5078180|
---------------------------------------------------------------------------------





Processors load
---------------------------------------------------------------------------------
|CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec|
---------------------------------------------------------------------------------
|   1|           0|            16|          84|      16|        ?|        235636|
|   2|           5|            65|          30|      70|        ?|        235644|
|   3|           7|            60|          33|      67|        ?|        235642|
|   4|           6|            59|          35|      65|        ?|        235642|
|   5|           0|            15|          85|      15|        ?|        235641|
|   6|           7|            57|          37|      63|        ?|        117822|
|   7|           5|            60|          35|      65|        ?|        235644|
|   8|           5|            61|          34|      66|        ?|        235640|
---------------------------------------------------------------------------------


+-----------------------------------------------------------------------------+
| Thanks for using s7pac                                                      |
+-----------------------------------------------------------------------------+

You can also check my other post about performance:

https://community.checkpoint.com/t5/General-Topics/VPN-disturbances/m-p/226354#M37793

usnig the command: fwaccel templates -R

fwaccel templates -R

Matched connections not allowed to use templates:
% Prevention : 1.281%

Reason                                  Count      Reason Prevented From Matched %

Non-Syn/Empty First Packet              |267373    |0.802     %
Src/dst IP Blacklisted                  |159739    |0.479     %
Dynamic VPN Connection                  |2         |0.000     %
--------------------

Connections failed to create templates:
% Fail to Create : 78.011%

Reason                                  Count      Reason Fail To Create %

NON TCP/UDP PROTO                       |4714670   |1.098     %
Conn Not Accelerated                    |9176797   |2.137     %
NAT Disallowed Conn                     |47721578  |11.114    %
DHCP Check Feature Isn't Supported Or Disabled|10        |0.000     %
General Error                           |986319    |0.230     %
Malicious Destination IP Detected       |270268    |0.063     %
Prevented By Policy Rules               |272080388 |63.368    %

Prevented By Policy Rules is decreasing steadily but very slowly, about 2% per day

same is true for "%Fail to Create" also decreasing steadily but very slowly

So, i wonder why Accelerated conns/Total conns still 0%

PhoneBoy · ‎2024-09-26

What does this command say: fwaccel dbg -m general + template

Moudar · ‎2024-09-26

fw01> fwaccel dbg -m general + template
fwaccel_dbg_get_module_by_name: ERROR - unrecognized module name: 'general'
Unknown module 'general'
fw01> exp
fw01> expert
Enter expert password:


Warning! All configurations should be done through clish
You are in expert mode now.

[Expert@fw01:0]#  fwaccel dbg -m general + template
fwaccel_dbg_get_module_by_name: ERROR - unrecognized module name: 'general'
Unknown module 'general'

PhoneBoy · ‎2024-09-26

Yeah, this likely needs the full debug procedure, which is…a bit more complicated.
I strongly suggest involving TAC here.

Are you a member of CheckMates?

IPads and CPU usage