Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Advisor

Super Seven Performance Assessment Commands (s7pac)

Did you watch the excellent TechTalk 'Security Gateway Performance Optimization with Timothy Hall'?

Link to the video: https://community.checkpoint.com/videos/7987

Link to the slides: https://community.checkpoint.com//docs/DOC-3169

 

The presentation ended with: "As Check Point administrators, you should always quickly run the “Super Seven” commands whenever you access a firewall to check performance"

 

So I've created a simple script that executes all super seven performance assessment commands that were mentioned by Timothy Hall . I called the script s7pac.

I'm thankful that this script is being mentioned in the third edition of the book Max Power 2020: Check Point Firewall Performance Optimization.

@Danny created a SmartConsole extension of s7pac. See this thread.

To install the script on a Security Gateway, simply run the following command in Expert mode:

curl_cli -o /usr/bin/s7pac tools.checkpoint.engineer/s7pac && chmod +x /usr/bin/s7pac

Or download s7pac here, copy it to your Security Gateway and make it executable.

.
Changelog

0.1 First version

0.2 - Added check to make sure script is started on a Security Gateway

      - Output to file in home-directory (format is s7pac_$(hostname)_$(date +%Y-%m-%d-%H%M).log)

      - Include page numbers of the book Max Power: Check Point Firewall Performance Optimization - Second Edition

0.3 Added RX-DRP check. Thx to this feedback

0.4 Updated with R80.30 references to the book Max Power 2020

My blog: https://checkpoint.engineer
Tags (1)
11 Replies
Highlighted

Regarding RX/TX errors, output of the command "netstat -ni" can be modified to show only interfaces if RX/TX errors > 0 .

The same logic for SecureXL.

Kind regards,
Jozko Mrkvicka
0 Kudos
Highlighted
Advisor

That should be possible indeed. Unfortunately I'm not a scripting guru so I did not add intelligence to the script. If you have tips how to achieve this with the output of netstat -ni that will be really appreciated.

My blog: https://checkpoint.engineer
0 Kudos
Highlighted
Employee+
Employee+

Amazing one.

one question - why not using cpview? it contains all steps and even more Smiley Happy

0 Kudos
Highlighted
Advisor

Thanks.


While the CPView Utility can show you a lot of information while you browse through the various menus, this script merely focusses on the interesting stuff for SecureXL and CoreXL in just one “click” and especially when you need to check the performance of the firewall.

I’d recommend to use the various scripts out there like ccchealthcheck  and hopefully max  soon too.

My blog: https://checkpoint.engineer
Highlighted
Employee+
Employee+

try to add it to command5:

detect_rx_drops() {
(renice -20 $BASHPID > /dev/null 2>&1
for DEV in `ifconfig | grep -ie "^eth" | tr ":" " " | awk '{ print $1 }' | sed -e 's/^[ \t]*//' | sed '/^$/d'`
do
R1=`netstat -ni |grep -w "$DEV"| grep -v "lo" |awk '{ print $6 }' | tail -1 | grep -v "RX-DRP" | sed -e 's/^[ \t]*//' | sed '/^$/d'`
sleep 0.5
R2=`netstat -ni |grep -w "$DEV"| grep -v "lo" |awk '{ print $6 }' | tail -1 | grep -v "RX-DRP" | sed -e 's/^[ \t]*//' | sed '/^$/d'`
RXPPS=`expr $R2 - $R1`
if [ "$R2" -gt "$R1" ]
then
echo "interface $DEV: There are rx drops"
else
echo "interface $DEV: no RX drops"
fi
done
renice 0 $BASHPID > /dev/null 2>&1)
}

Highlighted
Advisor

Thanks! I will integrate it in the next version.

My blog: https://checkpoint.engineer
Highlighted
Advisor

Version 0.3 released and updated with RX-DRP check. Thanks again!

My blog: https://checkpoint.engineer
Highlighted
Employee+
Employee+

Thanks Smiley Happy 

Do you think that it also be good to add these 2 commands only for R80.20?

R80.20 - new interesting commands 

# fw ctl multik utilize   > shows the CoreXL queue utilization for each CoreXL FW instance

#  fw ctl multik print_heavy_conn   > shows the table with heavy connections

0 Kudos
Highlighted
Advisor

Currently thinking about it how to integrate those new commands in a script that was originally based on a presentation with 7 commands :-).

My blog: https://checkpoint.engineer
Highlighted

Thanks Rick, Tim, all for this thread, it's being very helpful for me right now!😊

Highlighted
Advisor

s7pac has been updated to version 0.4 with references to the third editon of Max Power 2020: Check Point Firewall Performance Optimization when running this script on R80.30. 

My blog: https://checkpoint.engineer
0 Kudos