Is this based on a particular R81.20 experience, or are you just venting? Tags or not, this comment is not helping anyone, in my opinion.

Wow. I jumped from Firewall-1 3.0b to NG AI R55 almost 20 years ago, and that already seemed like a giant leap.
I don't think many people here realize how old this stuff is.
By 2017, they were using security software from 1997. Just wow.

R55 is oldest I remember. Im sure I was still a teenager during Firewall-1 3.0b code...yup, googled when it came out and I was 19 back then 😊

The first version I worked with was FireWall-1 2.0...back in 1996. 🙂

1996, what a year...I think that was the year I first played chess on the computer in this s***ty yellow-ish color haha. But, back in eastern Europe where we lived, we were happy if someone gave us CD to listen to LOL

And your own website and FAQ instantly became a reference for everyone working with Check Point firewalls! 👍

hi @Pedro,

i will be happy if you can share the case with me and i will try to assist.

Thanks,

Ilya 

Hi Ilya,

Thanks for the help. I will tell you the SR number in a direct message.

PM

Hi @Pedro_Madeira ,

i got it, will review and back to you on Sunday.

Thanks,

Ilya 

@Pedro_Madeira , you are in good hands man, @Ilya_Yusupov helped me and my colleague with ISP redundancy weird issue, he is EXCELLENT!!

Yeps,

I'm already interacting with Ilya which is great.

Thanks the_rock

Im sure it will be solved with @Ilya_Yusupov involved.

@Pedro_Madeira,

i answered also privately but also wanted to share the thread, based on the latest files you shared with me, we see an issue with MAB portal, we saw high amount of processes ~2k related to MAB portal.

we have a solution written in sk173663, please follow the instructions there and update if it's resolved the issue,

Thanks,

Ilya  

Hello,

In response to @Ilya_Yusupov and to give everyone more context, Ilya suggested following sk173663 which is an internal SK. Basically due to the re-design of VPN RA and MAB, an issue cropped up related to the unlimited spawning of processes which consumes memory as they keep cropping up.

When I saw Ilya's instructions, I remembered that I applied this same solution to another customer more than a year ago, as suggested by TAC, so this problem is still lingering in R81.10 and probably in R81.20.

I applied the solution to the current case I'm handling and now we'll monitor the cluster state and memory increase to determine if the problem is solved.

Thank you to Ilya for the extra mile in helping me solving this case.

Pedro Madeira

@Ilya_Yusupov is awesome, he was super responsive to my colleague and I for weird ISPR issue, I had never seen someone so dedicated to solving an issue. Fantastic human being.

Ilya is a great TAC engineer!

Well, he is a group manager, but as I always say, titles mean absolutely nothing, what matters is a person themselves and he is truly one of a kind, in a best way possible.

Hi,

first of all i'm happy to assist so feel free to contact me whenever you need an assistance :).

Second i'm a QA group manager responsible for FW, SSLi, VPN, IDA and all CP infra, coreXL, SXL and streaming path.

last @Pedro_Madeira  - i will take it with RnD owners to check how fast we can solve this issue and making the SK to be public for meanwhile.

Thanks,

Ilya 

Hey @abihsot__ ,

Let me test that tomorrow and report back.

Andy

@abihsot__ Can you please provide exact command you ran?

Not really snmp guru at all, but below is what I have:

[Expert@quantum-firewall:0]# snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.2620.1.6.7.2.3
SNMPv2-SMI::enterprises.2620.1.6.7.2.3.0 = Gauge32: 6
[Expert@quantum-firewall:0]#

oh, yes, sorry, I should have provided the full command to replicate the issue, but you got it right.

So essentially unless your gateway is very busy, you should not get "6". Try the same command with any other gateway (R80.40, R81.10) and it should give you back accurate result.

Anyway, registered TAC case, because for me it looks like a bug, unless IDLE time was moved intentionally to another SNMP OID

K, gotcha...never really paid attention to it, but keep us posted what they say. I see what you mean...below is for R81.10

[Expert@cp-firewall:0]# snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.2620.1.6.7.2.3
SNMPv2-SMI::enterprises.2620.1.6.7.2.3.0 = Gauge32: 72
[Expert@cp-firewall:0]#

Hi @abihsot__ ,

Mt name is Naama Specktor and Ia mcheckpoint employee ,

I will appreciate it if you will send me the TAC SR # , here or in PM.

Thanks!

Naama 

Just to further update you, this could be inconsistent, because I got totally different output after I tested this 4 hours later...

Andy

login as: admin
Pre-authentication banner message from server:
| This system is for authorized use only.
End of banner message from server
admin@172.16.10.205's password:
Last login: Wed Jan 18 16:17:42 2023 from 172.16.10.103
[Expert@quantum-firewall:0]# snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.2620.1.6.7.2.3
SNMPv2-SMI::enterprises.2620.1.6.7.2.3.0 = Gauge32: 95
[Expert@quantum-firewall:0]# fw ver -k
This is Check Point's software version R81.20 - Build 703
kernel: R81.20 - Build 597
[Expert@quantum-firewall:0]#

This is how it looks if you plot it on the graph after the upgrade to R81.20. While testing with snmpwalk you might got into peaks.

So the sum of below three items should be 100, which is no longer the case in R81.20.

I assume you got that graph from SV monitor, but either way, I can see lots of things fluctuating in my lab as well and I only have single windows behind it, so definitely makes no sense. Never used to happen in R81 and R81.10.