cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
RickHoppe
Silver

Super Seven Performance Assessment Commands (s7pac)

Did you watch the excellent TechTalk 'Security Gateway Performance Optimization with Timothy Hall'?

Link to the video: https://community.checkpoint.com/videos/7987

Link to the slides: https://community.checkpoint.com//docs/DOC-3169

The presentation ended with: "As Check Point administrators, you should always quickly run the “Super Seven” commands whenever you access a firewall to check performance"

So I've created a simple script that executes all super seven performance assessment commands that were mentioned by Timothy Hall . I called the script s7pac.

 

To install the script on a Security Gateway, simply run the following command in Expert mode:

curl_cli -o /usr/bin/s7pac tools.checkpoint.engineer/s7pac && chmod +x /usr/bin/s7pac

Or download s7pac here, copy it to your Security Gateway and make it executable.

.
Changelog

0.1 First version

0.2 - Added check to make sure script is started on a Security Gateway

      - Output to file in home-directory (format is s7pac_$(hostname)_$(date +%Y-%m-%d-%H%M).log)

      - Include page numbers of the book Max Power: Check Point Firewall Performance Optimization - Second Edition

0.3 Added RX-DRP check. Thx to this feedback

My blog: https://checkpoint.engineer
Tags (1)
10 Replies
JozkoMrkvicka
Platinum

Re: Super Seven Performance Assessment Commands (s7pac)

Regarding RX/TX errors, output of the command "netstat -ni" can be modified to show only interfaces if RX/TX errors > 0 .

The same logic for SecureXL.

Kind regards,
Jozko Mrkvicka
0 Kudos
RickHoppe
Silver

Re: Super Seven Performance Assessment Commands (s7pac)

That should be possible indeed. Unfortunately I'm not a scripting guru so I did not add intelligence to the script. If you have tips how to achieve this with the output of netstat -ni that will be really appreciated.

My blog: https://checkpoint.engineer
0 Kudos
Highlighted
Employee+
Employee+

Re: Super Seven Performance Assessment Commands (s7pac)

Amazing one.

one question - why not using cpview? it contains all steps and even more Smiley Happy

0 Kudos
RickHoppe
Silver

Re: Super Seven Performance Assessment Commands (s7pac)

Thanks.


While the CPView Utility can show you a lot of information while you browse through the various menus, this script merely focusses on the interesting stuff for SecureXL and CoreXL in just one “click” and especially when you need to check the performance of the firewall.

I’d recommend to use the various scripts out there like ccchealthcheck  and hopefully max  soon too.

My blog: https://checkpoint.engineer
Employee+
Employee+

Re: Super Seven Performance Assessment Commands (s7pac)

try to add it to command5:

detect_rx_drops() {
(renice -20 $BASHPID > /dev/null 2>&1
for DEV in `ifconfig | grep -ie "^eth" | tr ":" " " | awk '{ print $1 }' | sed -e 's/^[ \t]*//' | sed '/^$/d'`
do
R1=`netstat -ni |grep -w "$DEV"| grep -v "lo" |awk '{ print $6 }' | tail -1 | grep -v "RX-DRP" | sed -e 's/^[ \t]*//' | sed '/^$/d'`
sleep 0.5
R2=`netstat -ni |grep -w "$DEV"| grep -v "lo" |awk '{ print $6 }' | tail -1 | grep -v "RX-DRP" | sed -e 's/^[ \t]*//' | sed '/^$/d'`
RXPPS=`expr $R2 - $R1`
if [ "$R2" -gt "$R1" ]
then
echo "interface $DEV: There are rx drops"
else
echo "interface $DEV: no RX drops"
fi
done
renice 0 $BASHPID > /dev/null 2>&1)
}

RickHoppe
Silver

Re: Super Seven Performance Assessment Commands (s7pac)

Thanks! I will integrate it in the next version.

My blog: https://checkpoint.engineer
RickHoppe
Silver

Re: Super Seven Performance Assessment Commands (s7pac)

Version 0.3 released and updated with RX-DRP check. Thanks again!

My blog: https://checkpoint.engineer
Employee+
Employee+

Re: Super Seven Performance Assessment Commands (s7pac)

Thanks Smiley Happy 

Do you think that it also be good to add these 2 commands only for R80.20?

R80.20 - new interesting commands 

# fw ctl multik utilize   > shows the CoreXL queue utilization for each CoreXL FW instance

#  fw ctl multik print_heavy_conn   > shows the table with heavy connections

0 Kudos
RickHoppe
Silver

Re: Super Seven Performance Assessment Commands (s7pac)

Currently thinking about it how to integrate those new commands in a script that was originally based on a presentation with 7 commands :-).

My blog: https://checkpoint.engineer

Re: Super Seven Performance Assessment Commands (s7pac)

Thanks Rick, Tim, all for this thread, it's being very helpful for me right now!😊

0 Kudos